Skip to main content

Mondoo 7.9 is out!

ยท 2 min read
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 7.9 is out! This release includes a new Kubernetes Ingress resource and automatic discovery of Amazon ECR registries!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container

๐ŸŽ‰ NEW FEATURESโ€‹

Kubernetes Ingress resourceโ€‹

Problem: You want to ensure the security of Kubernetes Ingresses.

Solution: Mondoo now includes new resources for exploring and securing Kubernetes Ingress objects. New resources support exploring the Ingress objects themselves as well as the HTTP rules in each Ingress.

New Ingress resources:

Example cnspec shell query:

k8s.ingresses: [
  0: {
    annotations: {}
    namespace: "default"
    labels: {}
    manifest: {
      apiVersion: "networking.k8s.io/v1"
      kind: "Ingress"
      metadata: {
        creationTimestamp: null
        name: "no-tls-ingress"
        namespace: "default"
      }
      spec: {
        ingressClassName: "nginx"
        rules: [
          0: {
            host: "api.nexus.info"
            http: {
              paths: [
                0: {
                  backend: {
                    resource: {
                      apiGroup: "k8s.example.io"
                      kind: "MyKind"
                      name: "my-resource"
                    }
                  }
                  path: "/"
                  pathType: "Prefix"
                }
              ]
            }
          }
...

You can also automatically discover Ingress objects during your cluster scan with the --discover ingresses flag. With this flag, each Ingress object is scanned as an asset available in the Mondoo Console.

Stay tuned for new Ingress security policies and auto-discovery of HTTP/HTTPS endpoints so you can automatically discover incorrectly configured or expiring certificates.

Amazon ECR discovery supportโ€‹

Problem: To scan an AWS ECR registry, you have to know its address.

Solution: The cnquery/cnspec AWS scanner now automatically discovers and scans ECR registries.

Just type cnspec scan aws --discover ecs, or cnspec scan aws --discover all.

๐Ÿงน IMPROVEMENTSโ€‹

Improve EC2 instance discoveryโ€‹

When running cnspec scan aws --discover instances cnspec now uses EC2 Instance Connect and SSM to connect and remotely scan EC2 instances.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Improve the reliability of many controls in CIS and Mondoo Linux policies.
  • Change SSM-scanned instances to not show up as "Other" scans.
  • Avoid rate limiting in the AWS Lambda integration by reducing total API calls.
  • Improve help and resource autocomplete text.
  • Remove some unhelpful warning log messages in cnspec and cnquery.
  • Fix the display of long Kubernetes integration names in the Kubernetes integration page.
  • Fix login failures using the latest release of Safari on macOS and iOS.
  • Fix incorrect display of long organization IDs in the create organization window.