Skip to main content

Mondoo 8.7 is out!

ยท 3 min read

๐Ÿฅณ Mondoo 8.7 is out! This release includes public report viewing, improved policy filtering, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

Public report viewing in cnspecโ€‹

Open source users: Want to scan your infrastructure with cnspec and instantly see a visual report on the results? Now you can! Upload scan results to mondoo.com. For 72 hours, you can view the graphical report is available to view and share with anyone.

Scan Summary

Report in Browser

Want reports for longer than 72 hours? Register your cnspec installation with Mondoo Platform for reports that never expire, asset relationships, security planning, regression alerting, and more.

๐Ÿงน IMPROVEMENTSโ€‹

Filter on enabled policiesโ€‹

Filtering in the registry now lets you show only policies that are enabled in the space.

Security Registry Filtering

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix --asset-name flag not setting a custom asset name for all asset types.
  • Fix failure gathering data in the azure.subscription.network.ipAddress resource.
  • Add missing default resource values to gcp.project.bigqueryService and gcp.project.bigqueryService.dataset.accessEntry.
  • Add a more user-friendly error message when an unauthenticated client attempts to query CVE or EOL platform data.
  • Add a more user-friendly status error message when cnquery/cnspec receive invalid credentials.
  • Provide an error message in the ms365 provider when the certificate is malformed.
  • Set the ms365 provider's --client-id and --tenant-id command line flags as required.
  • Be clear in help that the ms365 provider allows for both PKCS #12/PFX and PEM format certificates.
  • Fix false negatives in the Google Cloud (GCP) Security policy's Ensure that Cloud Storage buckets have uniform bucket-level access enabled check.
  • Update the Linux Security policy's Ensure SSH root login is disabled or set to prohibit-password check to detect additional methods of preventing password-based logins from the root user.
  • Display values in nested arrays such as aws.ec2.securityGroups[1].ipPermissions[0] in the Asset Resource Explorer.
  • Display field-only queries such as github.repository.license.spdxId in the Asset Resource Explorer.
  • Fix display of queries with multiple nested resources such as gcp.project.bigquery.datasets {*} in the Asset Resource Explorer.
  • Don't count fixed CVEs in the Organization dashboard.
  • Group k8s-ingress assets under K8s Ingress in the fleet view instead of Others.
  • Fix the display of policies with variants in the registry.
  • Fix a page load error when selecting CVE lists in the organization overview.
  • Fix a failure displaying CVE data on an asset.
  • Fix editing of properties in variant policies.
  • Allow deleting private policies in the registry.
  • Resize data display in the Asset Resource Explorer to make it easier to get back to resource navigation.
  • Fix vendor advisories to list all included CVEs.
  • Allow re-scheduling integration scans and exports after a failure.