cnspec scan

Run a security scan on an asset based on one or more Mondoo policies.

To learn more, read Get Started with cnspec.

Synopsis

This command triggers a new policy-based scan on an asset. By default, cnspec scans the local system with the default policies built specifically for the platform. If you register cnspec with Mondoo, this command scans using the applicable enabled policies.

cnspec scan local

You can also specify a local policy and run it without storing results in Mondoo Platform:

cnspec scan local --policy-bundle POLICYFILE.yaml --incognito

In addition, cnspec can scan assets remotely using SSH. By default, cnspec uses the operating system's SSH agent and SSH config to retrieve the credentials:

cnspec scan ssh ec2-user@52.51.185.215

cnspec scan ssh ec2-user@52.51.185.215:2222

Examples: cloud

Scan AWS

cnspec scan aws --region us-east-1

To learn more, read Assess AWS Security with cnspec.

Scan Azure

cnspec scan azure --subscription SUBSCRIPTION_ID --group GROUP_NAME

To learn more, read Assess Azure Security with cnspec.

Scan Google Cloud (GCP)

cnspec scan gcp project PROJECT_ID

To learn more, read Assess Google Cloud Security with cnspec.

Scan Kubernetes

cnspec scan k8s

cnspec scan k8s MANIFEST_FILE

To learn more, read Assess Kubernetes Security with cnspec.

Scan Oracle Cloud Infrastructure (OCI)

cnspec scan oci

To learn more, read Assess Oracle Cloud Infrastructure (OCI) Security with cnspec.

Examples: SaaS

Scan GitHub

export GITHUB_TOKEN=YOUR_PERSONAL_ACCESS_TOKEN
cnspec scan github repo ORG/REPO

To learn more, read Assess GitHub Security with cnspec.

Scan GitLab

cnspec scan gitlab --group YOUR_GROUP_NAME --token YOUR_TOKEN

Scan Google Workspace

export GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON=/home/user/my-project-6646123456789.json
cnspec scan google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com

To learn more, read Assess Google Workspace Security with cnspec.

Scan Jira

cnspec scan atlassian jira --host HOST_URL --user USER@DOMAIN --user-token YOUR_TOKEN

Scan Microsoft 365 (MS 365)

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR_TENANT_ID --client-id YOUR_CLIENT_ID

To learn more, read Assess Microsoft 365 Security with cnspec.

Scan Okta

cnspec scan okta --organization your_org.okta.com --token API_TOKEN

To learn more, read Assess Okta Security with cnspec.

Scan Slack

cnspec scan slack --token API_TOKEN

To learn more, read Assess Slack Security with cnspec.

Examples: supply chain and containers

cnspec supports local containers and images as well as images in Docker registries.

Scan Docker

cnspec scan docker container b62b276baab6

cnspec scan docker image ubuntu:latest

Scan Harbor

cnspec scan container registry harbor.lunalectric.com

Scan ECR

cnspec scan container registry 123456789.dkr.ecr.us-east-1.amazonaws.com/repository

Scan GCR

cnspec scan gcp gcr PROJECT_ID

Scan Vagrant

cnspec scan vagrant HOST

Scan an inventory file

cnspec scan --inventory-file FILENAME

Scan an Ansible inventory file

ansible-inventory -i hosts.ini --list | cnspec scan --inventory-format-ansible --inventory-file -

Options

      --annotation stringToString   Add an annotation to the asset. (default [])
      --asset-name string           User-override for the asset name
      --detect-cicd                 Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
      --discover strings            Enable the discovery of nested assets. Supports: all,auto,container,container-images
  -h, --help                        help for scan
      --incognito                   Run in incognito mode. Do not report scan results to  Mondoo Platform.
      --inventory-format-ansible    Set the inventory format to Ansible.
      --inventory-format-domainlist Set the inventory format to domain list.
      --inventory-file string       Set the path to the inventory file.
  -j, --json                        Run the query and return the object in a JSON structure.
  -o, --output string               Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
      --output-target string        Set output target to which the asset report will be sent. Currently only supports AWS SQS topic URLs and local files
      --platform-id string          Select a specific target asset by providing its platform ID.
      --policy strings              Lists policies to execute. This requires --policy-bundle. You can pass multiple policies using --policy POLICY.
  -f, --policy-bundle strings       Path to local policy file
      --props stringToString        Custom values for properties (default [])
      --record string               Record all resource calls and use resources in the recording
      --score-threshold int         If any score falls below the threshold, exit 1.
      --sudo                        Elevate privileges with sudo.
      --use-recording string        Use a recording to inject resource data (read-only)

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
      --auto-update        Enable automatic provider installation and update (default true)
      --config string      Set config file path (default $HOME/.config/mondoo/mondoo.yml)
      --log-level string   Set log level: error, warn, info, debug, trace (default "info")
  -v, --verbose            Enable verbose output

Synopsis​

Examples: cloud​

Scan AWS​

Scan Azure​

Scan Google Cloud (GCP)​

Scan Kubernetes​

Scan Oracle Cloud Infrastructure (OCI)​

Examples: SaaS​

Scan GitHub​

Scan GitLab​

Scan Google Workspace​

Scan Jira​

Scan Microsoft 365 (MS 365)​

Scan Okta​

Scan Slack​

Examples: supply chain and containers​

Scan Docker​

Scan Harbor​

Scan ECR​

Scan GCR​

Scan Vagrant​

Scan an inventory file​

Scan an Ansible inventory file​

Options​

Options inherited from parent commands​

SEE ALSO​