Skip to main content

Β· 3 min read

πŸ₯³ Mondoo 10.4 is out! This release includes improved VMware CVE detection, NPM package detection, performance improvements, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


VMware vSphere advisory & CVE detection​

Improved VMware vSphere advisory and CVE detection ensures you always have the latest advisories and CVEs flagged on both ESXi and vSphere assets.

VMware vulnerabilities

Resource Updates​


  • New cloudWatchLogsLogGroupArn field


  • Fix fetching the expiration field


  • New resource for fetching NPM packages installed on an asset


  • New files field
  • New cpe field on Windows assets

Performance improvements​

Who doesn't like getting something for free? With Mondoo 10.4, you get your scan results not only faster, but using significantly less memory at the same time. In testing with large asset scans, memory usage has dropped from ~950MB to just ~200MB, while scan times were cut in half.

Save SBOMs to disk​

Export SBOMs to a file with a new --output-target flag:

$ cnquery sbom docker debian:12 -o cyclonedx-json --output-target debian-12.json
β†’ discover related assets for 1 asset(s)

debian:12 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%

$ head debian-12.json
"$schema": "",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:1685df36-e3f4-4174-b469-6bd9974a8c41",
"version": 1,
"metadata": {
"timestamp": "2024-02-20T10:49:41-08:00",
"tools": {
"components": [

New Azure snapshot scanning options​

New options for Azure snapshot scanning give you additional control over how Mondoo performs the scan:

  • Skip the cleanup and instead rely on Azure to perform the cleanup with a new --skip-snapshot-cleanup flag.
  • Scan snapshots that have already been attached to the VM with new --skip-snapshot-setup and --lun flags.

Expanded NIST 800 compliance evidence​

AWS NIST Best Practices policies now feed directly into Compliance Hub, so NIST security findings can be part of your automatic evidence gathering for audits.


  • Fix failures scanning container images.
  • Fix fetching CPEs on VMware platforms.
  • Display the correct SSH keys when remotely scanning hosts.
  • Fix failures in the EOL policy and improve output when a system approaches EOL.
  • Show just the severity icon for vulnerabilities instead of severity and scan result.
  • Fix failures running the shell and run commands.
  • Improve reliability of console results pagination.
  • Fix failures scanning Microsoft 365 and GitHub assets.
  • Improve display of scan results in Azure and Microsoft 365 when the result is nil.
  • Improve scan results output in the CIS AWS Foundations and Microsoft 365 Foundations benchmarks.
  • Don't error if a Kubernetes container cannot be discovered.
  • Add a property to the CIS AWS Foundations benchmark to allow controlling which ports are blocked on instances.
  • Improve rendering of the asset page on wide displays.
  • Fix incorrect CVE detection in .NET Runtime.
  • Prevent empty titles in CVEs when the published CVE is incomplete.

Β· 3 min read

πŸ₯³ Mondoo 10.3 is out! This release includes Microsoft application vulnerability detection, expanded EOL/CVE detection, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Microsoft application CVE detection​

Expose additional critical vulnerabilities on your workstations and servers with new application vulnerability detection for Microsoft Edge, .NET Framework, and Visual Studio Code. Mondoo automatically flags vulnerable releases on the asset's Software tab. Links to relevant CVEs and Microsoft KB advisories help you understand the risk of outdated software releases in your environment.

Vulnerable Microsoft Edge


Paginate affected assets​

Have thousands of systems impacted by a security check? No problem with new asset pagination on the security check pages.

Performance improvements​

We refactored how Mondoo initiates scans, compiles CVE data, and executes the shell to make sure you get the best security results without waiting.

Reverse IP Lookup PTR record check in the Email Security policy​

Gmail now requires a reverse IP Lookup PTR record for your domain to accept emails. The Mondoo Email Security policy now includes a new "Ensure Reverse IP Lookup PTR record is set (DNS Forward confirmed)" check so you can validate your domain is ready for these new stringent Gmail requirements.

Vulnerability data on Pop!_OS​

Mondoo now supports CVE detection for Pop!_OS, the Ubuntu-derived distribution for System76 laptops.

Ubuntu 24.04 EOL and CVE support​

Mondoo now detects the EOL date for the upcoming Ubuntu 24.04 release as well as package CVE data. The Ubuntu release doesn't come out until April, but this way you'll be secure from day one.


  • Simplify the description of EPSS data in CVE/Advisory console pages.
  • Fix fields not displaying correctly in the vulnmgmt.cves resource.
  • Fix querying CloudWatch metrics alarms where the SNS topic does not exist in the aws.cloudtrail.trails resource.
  • Add a friendly error message when the aws.cloudtrail resource is called without an ARN.
  • Don't report the core provider as needing to be updated.
  • Fix failures parsing time values in some AWS resources.
  • Fix dict value parsing in the gcp.buckets resource.
  • Remove duplicate Jira resource autocompletion in the shell.
  • Improve light mode in the registry and asset filters.
  • Add an empty state to the asset insights when no policies or vulnerability data are available.
  • Show an empty state for data queries when the scan result is an empty string, nil value, or 0.
  • Prevent empty titles in Microsoft KBs.
  • Fix scanning of AWS instances using SSM when the instance lacks tar.
  • Improve remediation instructions in the Google Cloud (GCP) Security policy.
  • Fix missing severities in some Scientific Linux security advisories.
  • Support RHEL-based distributions in the CIS Distribution Independent Linux Ensure updates, patches, and additional security software are installed check.
  • Improve query output and reliability in the CIS Amazon Web Services (AWS) Foundations Benchmark and AWS Best Practices policies.
  • Update Amazon 2023 and Fedora 38/39 EOL dates to reflect updated dates.
  • Fix CVE detection for some packages on Ubuntu 23.10.
  • Improve example cnspec/cnquery commands in the console.
  • Fix fetching policies from the public registry.
  • Fix failures in the CIS "Ensure journald service is enabled" check.
  • Improve the check reliability and output in the CIS AWS Foundations policy.

Β· 4 min read

πŸ₯³ Mondoo 10.2 is out! This release includes key improvements in known exploitable vulnerability tracking, Slack team scanning, improvements to the space overview screen, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Additional sources for CVEs and Advisories​

For vulnerabilities that have known exploits in the wild, Mondoo now provides a link to the external citation from the CVE page.

  • For software vulnerabilities listed in the CISA Known Exploited Vulnerability (KEV) database.
  • For software vulnerabilities listed in Metasploit, Mondoo now provides a link to exploit in the Metasploit source repository.

CVE with Metasploit

Find top vulnerabilities for spaces​

The Space overview now shows the top vulnerability in the space, as determined by the ratio of impacted assets and CVSS score.

Space overview with top vulnerability

slack.users performance improvements​

We continue to optimize fetching Slack data for large Slack workspaces. New optimizations for user fetching result in query times up to 25x faster.

New sshd.config.blocks field​

The ssh.config resource now includes a new blocks field that allows you to query configuration data defined in individual sshd match groups.

For example, if you have an sshd configuration file with a match group for sftp-users:

X11Forwarding yes

Match Group sftp-users
X11Forwarding no
PermitRootLogin no
AllowTCPForwarding yes

Previously using the sshd.config.params field would show you both instances of the X11Forwarding configuration without the context necessary to understand where this configuration is applied:

> sshd.config.params.X11Forwarding

Using blocks you can dive deeper to see exactly which users get each configuration option:

> sshd.config.blocks { criteria params }
sshd.config.blocks: [
0: {
criteria: ""
params: {
X11Forwarding: "yes"
1: {
criteria: "Group sftp-users"
params: {
AllowTcpForwarding: "yes"
PermitRootLogin: "no"
X11Forwarding: "no"


  • More consistent asset names on *nix-based assets.
  • Fix infinite loading of the integrations sidebar.
  • Improve display of platforms in variant policies.
  • Improve the description of EPSS data on CVE and advisories pages.
  • Improve retries and timeouts for provider downloads.
  • Fix malformed policy downloads from the registry when a policy contains variants.
  • Fix missing platform icons for policies with variants.
  • Fix an error hovering over policies in the registry when colorblind mode is enabled.
  • Use a consistent font size for all exceptions in exception tabs.
  • Ensure all unapproved exceptions are expanded by default in exception tabs.
  • Remove the "Space created" item from the exceptions tabs.
  • Improve rendering of the asset's software list in the print view.
  • Removed failing Azure Entra ID checks from the Mondoo Azure policy.
  • Improved the reliability and output of queries in the CIS Azure and MS 365 benchmark policies.
  • Fix data queries showing as failing checks in the console.
  • Add wrapping for long asset annotation text values on the asset page.
  • Fix failures loading unscored assets.
  • Improve the display of tooltips in light mode.
  • Improve error messages due to authentication failures in the ms365 provider.
  • Fix authentication failures with cnquery run ms365.
  • Avoid running a command more than once in some situations when using the processes resource.
  • Resolve Microsoft 365 integration timeouts due to scan errors.
  • Improve scan time performance by caching failures.
  • Fix a crash in the aws.iam.virtualMfaDevices resource due to insufficient IAM permissions.
  • Fix an error fetching some fields in the aws.cloudtrail.trails resource.
  • Fix an error fetching Microsoft Teams policy data.
  • Resolve a failure to fetch policies when scanning.
  • Improve the counts of checks and queries displayed for assets.

Β· 5 min read

πŸ₯³ Mondoo 10.1 is out! This release includes application CVE detection, CIS MS365 benchmark 3.0, expanded asset overview data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Application CVE detection​

We've all been on the Zoom meeting when our coworkers share their screens and every browser window shows the "relaunch to update" badge. How long has Bob in accounting been browsing the web with that unpatched browser? A day? A week? A month? It's hard to know your organization's level of exposure if vulnerability scanning stops at the OS. Go further with new application CVE detection for non-OS installed packages, starting with the detection of vulnerable Mozilla Firefox and Google Chrome releases.

A new Software tab on the asset detail page shows Mondoo-detected software vulnerabilities. Details include impact level and additional risk factors if known exploits exist for the application.

Software vulnerabilities

Want to view data on an asset's individual vulnerabilities? New Vulnerabilities and Advisories tabs let you dive directly into the individual risks on your assets.



CIS Microsoft 365 Foundations 3.0 policy​

Mondoo now includes version 3.0 of the CIS Microsoft 365 Benchmark policy. This updated policy includes new and updated checks to keep your Microsoft 365 environment secure, including:

  • 10 new Microsoft Teams checks
  • 8 new Microsoft SharePoint checks
  • 6 new Microsoft Power BI checks
  • 15 updated checks with improved descriptions, remediations, and query values

Improved CIS Azure Foundations policy queries​

Reworked queries in the CIS Azure Foundations Benchmark policy provide more reliable results and improved output so you can quickly find and secure your Azure resources.

Improved asset overview information​

Understand your assets at a glance using expanded asset overview information in Mondoo 10.1. New cloud, hardware manufacturer, hardware model, and serial number data are included for operating systems, allowing you to quickly track down assets.

Asset overview data

Expanded macOS and Windows inventory packs​

We've expanded the Windows and macOS inventory packs to expose critical asset configuration data.

macOS queries​

  • SMBIOS system information
  • Storage data
  • Power data
  • Network data
  • Configuration profile data
  • Uptime
  • Running processes
  • Kernel modules
  • Mounts
  • Active network connections
  • SSHd configuration

Windows queries​

  • Uptime
  • Running processes
  • Scheduled tasks
  • Expanded data for BitLocker volumes
  • Expanded data for security products
  • Expanded data for services

CVE detection on Linux Mint​

Keep your Linux workstations fresh with expanded CVE detection support for Linux Mint.

Improved Azure authentication​

No matter how you pass your authentication, Mondoo has your back with expanded authentication capabilities for scanning Azure subscriptions. Previously, running cnspec scan azure only loaded authentication credentials from the azure CLI. Now, scans can also load credentials from shell environment variables, workload identity, and managed identity, in addition to the CLI configuration.

CVSS scores in JSONL exports​

Data integrations now export JSONL data with CVSS scores, so you can feed this critical risk data into external systems that consume your data exports.

Resource improvements​

Dive deep into your Azure environment in the cnquery shell and create custom policies with an expanded MQL resource.


  • New zones field
  • New state field
  • New isRunning field


  • Improve formatting in policy description fields.
  • Fix crash on empty array.flat with no type information.
  • Fix CIS Red Hat Level 2 policy queries applying to non-Red Hat assets.
  • Improve reliability of Linux sudoers checks.
  • Change Slack provider retry logging messages from info level to debug.
  • Reduce network IO during CVE scans.
  • Improve error messages if a provider crashes.
  • Improve the reliability and readability of queries in the CIS Azure Foundations policy.
  • Prevent MS365 SOC 2 checks from running on non-MS365 platforms.
  • Fix exceptions incorrectly displaying in some situations.
  • Fix long-lived token usage failures in the AWS integration.
  • Prevent failures in the Linux Inventory query pack on container image scans.
  • Added back support for scanning systems via WinRM.
  • Reduce memory usage during asset scans.
  • Improved logging when cnquery/cnspec fails.
  • Improve scan results for large Slack accounts.
  • Return a helpful error when the specified provider cannot be found.
  • Fix failures running the aws.efs.filesystem resource.
  • Fix failures in the azure.subscription.sqlService.firewallrule resource.
  • Fix missing image for hosts in weekly spaces emails.
  • Improve descriptions of EPSS scores on CVE pages.
  • Fix a panic when trying to fetch AWS S3 bucket locations in some situations.
  • Exit 1 when cnspec or cnquery can't connect to the asset to scan.
  • Show a friendly message on the space settings page for API tokens when the user does not have permission.
  • Avoid displaying partial scan results in the console.

Β· 9 min read

πŸ₯³ Mondoo 10.0 is out! This release includes detection of known exploited vulnerabilities, EPSS scores for CVEs, a new light mode, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Expose exploitable CVEs​

Mondoo now flags CVEs found in CISA's Known Exploited Vulnerabilities Catalog. These CVEs are critically important to patch in your environment. Now you can track the patching status across your fleet to prioritize work.

Individual CVE pages include an exploitable badge when a CVE is in the CISA Known Exploited Vulnerabilities Catalog:

Exploitable badge

From the CVEs page, a new yellow shield badge designates Known Exploited Vulnerabilities Catalog CVEs.

Exploitable CVEs

EPSS scores for CVEs​

Now that you're done patching all the actively exploited vulnerabilities in your environment, what should you do next? What if you could identify vulnerabilities with a high likelihood of being exploited in the wild in the near future? That's the focus of the Exploit Prediction Scoring System (EPSS). Now Mondoo CVE pages include EPSS data so you can see how likely a vulnerability is to be exploited soon, along with the risk when that occurs. Use this additional data to spend your precious time patching the right systems before attackers hit.

EPSS scores for CVEs

Console light mode​

Do you feel like you merely adopted the dark instead of being born into it? Maybe it's time for change. Now you can switch from the Mondoo's Console's default dark mode to a new light mode.

Enable light mode by selecting the sun icon in the toolbar.

Enabling light mode

With light mode enabled, enjoy a brighter Mondoo!

Light mode dashboard

Policy stats on asset policy pages​

The asset page's Policy tab now includes overview information summarizing the policies and results for an asset.

Policy stats

Find your spaces with ease​

Are you accumulating spaces as you secure more and more of your infrastructure? Now a space search makes it easy to find the space you need. The Spaces page for an organization also now includes pagination.

Spaces page with search

Control policies using the CLI​

Consider yourself a CLI wizard? You'll be happy to know you can now use the CLI to set how your policies execute on assets. The new cnspec policy commands give you complete control within the CLI:

cnspec policy [command]

Available Commands:
delete Delete a policy from the connected space
disable Disables a policy in the connected space
download download a policy to a local bundle file
enable Enables a policy in the connected space
format Apply style formatting to one or more policy bundles
info Show more info about a policy from the connected space
init Create an example policy bundle
lint Lint a policy bundle
list List enabled policies in the connected space
upload Upload a policy to the connected space


As this is a major release of Mondoo's cnspec and cnquery tools, we have made two relatively small breaking changes:

  • We removed the --share flag in cnspec. To learn about other ways to report scan results, read Report Results.
  • We renamed aws-ec2-volume and aws-ec2-snapshot to aws-ebs-volume and aws-ebs-snapshot when using asset discovery to scan AWS accounts.


Scan performance improvements​

New policy fetching and reporting optimizations in Mondoo 10 mean complex scans now execute nearly twice as fast and use 1/3 the network bandwidth as previous 9.x releases.

MQL improvements​

New helpers in MQL make it simpler to write and interpret complex security queries.

recurse helper for dicts​

The recurse helper makes it easy to extract data from a dict structure made up of mixed value types.

For example, suppose you need to retrieve all users from this JSON data structure:

"users": [{ "name": "bob" }],
"owners": {
"admins": [{ "name": "joy", "isOwner": true }]

Because of the varying data types, finding users in this structure is difficult with traditional mechanisms. You need to understand the data structure and know where to search.

recurse eliminates that difficulty:

jdata.recurse( name != empty )
0: {
name: "bob"
1: {
isOwner: true
name: "joy"

You can then map the user names:

jdata.recurse( name != empty ).map(name)
0: "bob"
1: "joy"

Named arguments in functions​

You can set a named argument in a function. This is useful in situations where you can only use one expression (such as with all or one). It also makes the code easier to understand, especially when nesting across multiple objects, as in this example:

user.uid == group.gid

in helper for lists of strings​

For lists of strings, you can use the in assertion, which is the inverse of contains:


An ideal use for in is to combine it with properties. For example, if you define a property named allowedCiphers, you can assert that a configured cipher is in that list: props.allowedCiphers )

Resource improvements​

This release includes new resources and resource fields to expose important details for asset inventory and custom security policies.


  • New resource with createdAt field


  • New createdAt field
  • New engineVersion field
  • New port field


  • Add direction field


  • New sharedMailboxes field


  • New resource with identity, user, and externalDirectoryObjectId fields

Group vulnerable packages by architecture​

Vulnerability advisory pages now group affected packages by architecture for easier discovery and evaluation.

Packages sorted by architecture

PowerShell remediation steps in Windows policies​

Windows policy checks now include PowerShell remediation steps in addition to the existing Group Policy steps, so you can remediate findings whatever way works best for you.

PowerShell remediation steps

Simplified policy control​

You can now change a policy's state directly from the Security Policies page. Now you can enable, disable, or preview policies without having to find them in the Registry.

Change policy state in the security policies page

Control scan as service execution​

You can now pass in alternative values to cnspec serve to configure the timer and its splay.

> cnspec serve --help
Start cnspec in background mode.

cnspec serve [flags]

-h, --help help for serve
--inventory-file string Set the path to the inventory file
--splay int randomize the timer by up to this many minutes (default 60)
--timer int scan interval in minutes (default 60)

Global Flags:
--api-proxy string Set proxy for communications with Mondoo API
--auto-update Enable automatic provider installation and update (default true)
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output

To run cnspec serve from the CLI:

> cnspec serve --timer 30 --splay 30
β†’ start cnspec background service
β†’ scan interval is 30 minute(s) with a splay of 30 minutes(s)

If cnspec is running as a service, it is easier to configure the timer and the splay in the configuration:

timer: 5
splay: 10
auto_update: true

Custom provider paths​

Define a custom path to store cnspec and cnquery providers with the new PROVIDERS_PATH variable. Set this variable in your shell profile or change the path one time directly on the CLI:

PROVIDERS_PATH=$PWD/.providers cnquery providers install os

Updated Linux EOL dates​

We've updated many Linux distribution EOL dates based on vendor timeline updates:

  • Extend EOL date of EuroLinux 9 to June 30, 2032
  • Extend EOL date of Fedora 37 to December 5, 2023
  • Extend EOL date of openSUSE Linux 15.4 to December 7, 2023
  • Extend EOL date of Oracle Linux 7 to December 1, 2024
  • Extend EOL date of Oracle Linux 9 to December 30, 2032
  • Extend EOL date of Ubuntu Linux 23.04 to January 20, 2024
  • Fix the EOL date of Red Hat Enterprise Linux 7 to be August 6, 2019

Apple model detection​

Asset platform information now includes the human-friendly form of the Mac model designation, including the year of release, so you can more easily understand scanned IT assets.

Platform overview with Mac model information


  • Do not show unknown assets in the affected assets page.
  • Immediately refresh the page after creating or removing an exception in Compliance Hub.
  • Improve listing of CVEs and pagination to ensure all CVEs are always displayed.
  • Respect the --log-level command line flag within provider plugins.
  • Fix auditpol resource failures on non-English Windows systems.
  • Improve content alignment on the Compliance Hub frameworks page.
  • Support vulnerable package data on the EndeavourOS Linux distribution.
  • Fix technology naming and images in the weekly space overview email.
  • Fix alignment of compliance framework tiles.
  • Fix the exception creation dialog not always closing after creating an exception.
  • Do not fail on time parsing errors.
  • Fix failures shutting down providers in some scenarios.
  • Fix fetching of the ID for Azure SQL Server firewall rules.
  • Fix an error in the attributes field of the aws.elb.classicLoadBalancers resource when fetching classic ELBs.
  • Add an error message when using the aws.elb.loadbalancer resource without a load balancer type argument.
  • Add an error message when using the aws.applicationAutoscaling resource without a namespace argument.
  • Show managed clients (if present) in the Integrations section of the sidebar.
  • Handle deprecated configurations in the Mondoo Kubernetes Operator.
  • Resolve errors running the files.find resource on containers.
  • Ensure any provider can run resources in the OS provider.
  • Improve CVSS score rendering.

Β· 5 min read

πŸ₯³ Mondoo 9.14 is out! This release includes agentless Azure VM scanning, new MQL helpers, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Scan Azure VMs / snapshots / disks​

Use new Azure scanning capabilities to scan running VMs, instances, or disks without deploying or managing agents.

Scan snapshots of your VMs to perform agentless scans without impact to your running workloads:

cnspec scan azure compute snapshot <snapshot-name> --client-id <id> --tenant-id <id> --client-secret <value>

Scan snapshots outside your current resource group using the fully qualified Azure resource ID:

cnspec scan azure compute snapshot "/subscriptions/subId/resourceGroups/my-rg/providers/Microsoft.Compute/snapshots/test-debian-snap" --client-id <id> --tenant-id <id>--client-secret <secret>

Scan disks on running VMs with automatic running disk cloning:

cnspec scan azure compute disk <disk-id> --client-id <id> --tenant-id <id> --client-secret <value>

Not concerned about the impact to running workloads? Scan VMs directly without managing agent deploys:

cnspec azure compute instance <instance-name> --client-id <id> --tenant-id <id> --client-secret <value>

New MQL helpers for policy authoring​

New helpers for MQL give you the power to create robust security and compliance policies to meet your custom business needs.

Quickly access data in a map​

Use dot notation to access data in maps:

cnquery> {a: 1, b: 2, c:3}.a
[a]: 1

Check whether a time is within a range​

See if time values fall within a range. This works with all timestamps:

cnquery> password.lastChangedDate.inRange(*,
[ok] value: true

Check whether a number is within a range​

See if an integer value is within a range:

cnquery> 2.inRange(1,3)
[ok] value: true

#### Check strings against a list of values

Check a string value against a list of acceptable values.

cnquery> "PASS".in(["PASS","ALLOW","OK"])
[ok] value: true

Parse duration values​

Work with duration values using a new duration helper:

cnquery> parse.duration("3d")
parse.parse.duration: 3 days
cnquery> parse.duration("7days")
parse.parse.duration: 7 days

Check the contents of maps​

Check keys, values, and combination of the two within maps:

{'a': 1, 'b': 2}.contains( key == 'b' )
{'a': 1, 'b': 2}.all( value > 0 )
{'a': 1, 'b': 2}.one( value != 1 )
{'a': 1, 'b': 2}.none( key == /d-f/ )

Semantic version parsing​

Compare versions without the need for complex integer parsing:

cnquery> semver('1.9.0') < semver('1.10.0')
[ok] value: "1.9.0"

New Email Security policy​

A new Email Security policy includes 14 new checks for critical email security protocols, including:

  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

This policy really shines with our continuous domain and IP scanning integration (released in Mondoo 9.11). It's also handy on the CLI using cnspec.

Email Security policy checks

New Terraform Asset Inventory Pack​

Use the new Terraform Asset Inventory Pack to inventory versions and resources within your Terraform state files, including resources on AWS, Azure, and GCP clouds.

Terraform state file inventory


macOS and Windows policy data queries moved to query packs​

To give you additional control over when cnspec collects configuration data on your assets, we've moved all data queries from our macOS and Windows security policies to the dedicated asset inventory query packs. For those who want security scanning only, this change speeds up cnspec scans. If you want to continue collecting this configuration data, enable the macOS and Windows asset inventory query packs in your space.

Expanded MQL resources​


  • Fix members field to properly fetch cluster members
  • New port field
  • New endpoint field
  • New availabilityZones field


  • New port field
  • New endpoint field


  • Add type field to the default resource output


  • Add path field to the default resource output


  • Add source field to the default resource output


  • Add identifier field to the default resource output


  • Do not include out of scope control PDFs in the framework report archive.
  • Show correct exception counts in Compliance Hub controls and PDF reports.
  • Fix platform filters on Entra ID checks in the SOC 2 Security policy.
  • Prevent Kubernetes operator from failing if it cannot report scan results
  • Add retries to provider installations.
  • Fix the status command to respect HTTP proxies.
  • Improve console load times with a 21% reduction in the size of JavaScript files.
  • Improve service restarts when upgrading Windows clients via the install.ps1 script.
  • Fix scanning registry keys over WinRM connections.
  • Don't require downloading the OS provider to collect basic OS configuration information.
  • Ensure the appropriate providers are installed when running cnspec bundle init.
  • Fix errors in the user and group resources when specifying a single user / group to query.
  • Fix the Mondoo package version to match that of cnspec and cnquery on Arch Linux.
  • Fix incorrect rendering of some CIS policies.
  • Update the EOL date for Windows 10 Pro LTSC.
  • Fix package vulnerability data not loading for some Linux distribution releases.

Β· 3 min read

πŸ₯³ Mondoo 9.13 is out! This release includes check exceptions and scope definition in Compliance Hub, an updated vendor advisories view, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Scoping in Compliance Hub​

New scoping in Compliance Hub gives you fine-grained management of which controls you report to your auditor. Is your auditor not requesting a particular control even though it's part of the compliance framework? Select the control in Compliance Hub and mark it out of scope. With scoping, you decide what to include in your audit without setting exceptions (which would appear in audit report PDFs).


Check exceptions in Compliance Hub​

Need more time to remediate findings for your audit? Now you can set exceptions on individual checks. Explanations let you communicate work to be done or identify compensating controls.

Check Exceptions


Improved vendor security advisory view​

Redesigned vendor security advisory pages make it easier to understand the impact of an advisory and what actions you need to take next.

Advisory page

Resource updates​

We've added new resources and fields to give you access to even more data.


  • Default fields now display name, region, status, runningTasksCount, and pendingTasksCount
  • New region field


  • New securityGroups field


  • New spoSites field​

  • New resource with url and denyAddAndCustomizePages fields


  • Fix failures running cnspec vuln on Windows and Pop!_OS hosts.
  • Include the platform IDs and EC2 instance ARNs in SBOM exports.
  • Add back ECR and ECS discovery using the --discovery flag that was removed in 9.0.
  • Replace incorrect error message when failing to query Amazon GuardDuty.
  • Do not show disabled compliance controls in cnspec scans.
  • Don't clip the bottom pixels of the Mondoo logo in the console.
  • Update the macOS client installation setup instructions in the integrations page to install without Homebrew.
  • In exceptions lists, show the most recent exceptions first in each day's view.
  • Avoid failures running the Asset Count Query Pack on Microsoft 365 assets.
  • Fix remediation steps in the Linux Security policy's "Ensure SSH Idle Timeout Interval is configured" check. Thanks for this fix, @tomtrix!
  • Add properties to CIS/Mondoo Windows policies to allow tuning the maximum idle time of the Remote Desktop Services sessions.
  • Fix policy filtering on the asset checks page.
  • Improve console load times on low bandwidth connections by 70%.
  • Don't show the filter search bar on the asset checks page if there are no checks.
  • Prevent failures on Azure and Microsoft 365 assets in the SOC 2 Compliance Checks policy.
  • Improve the display of summary data on CVE pages.
  • Add tooltips to risk factors on CVE pages to make it easier to understand scoring.
  • Fix failures registering cnspec/cnquery 8.x clients.
  • Fix failures generating compliance PDF reports.
  • Improve performance loading CVE/advisory pages, individual asset pages, and the security dashboard.
  • Add an Alias directive to the system unit file definition for cnspec.
  • Update VMware Photon 4 EOL date.
  • Simplify Linux client installation on integration pages by using the script.
  • Fix errors setting an exception in compliance frameworks that are still in preview.
  • Improve check titles in the AWS Security and DNS Security policies.
  • Improve rendering of codeblocks in the Kubernetes Cluster and Workload Security policy.

Β· 5 min read

πŸ₯³ Mondoo 9.12 is out! This release includes improved asset UX, expanded AWS/MS365 resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Check overview summary information​

We added an overview to the Checks tab for each of your assets. Now you can quickly grasp the state of checks and see the most important recommended actions.

Check Overview

View exceptions on policy cards​

New information on the Overview tab for each asset exposes exceptions at a glance. For each policy applied to the asset, you can now see whether (and how many) exceptions are applied.

Exceptions Overview


Updated weekly email notifications​

We rebuilt the Mondoo weekly organization overview emails from the ground up to deliver the most important information about your spaces... and with a fresh new design to top it all off. The email still shows an overview of scores in your spaces, but now also includes top vulnerabilities, end-of-life assets, and a count of improving vs. worsening asset scores.

Check Overview

New fields and defaults in resources​


  • Default fields now display domainName, issuer, createdAt, and notAfter
  • New keyAlgorithm field
  • New serial field
  • New source field
  • New issuer field
  • New issuedAt field
  • New importedAt field


  • New status field
  • New sizeBytes field


  • Default fields now display name, type, and region
  • New createdAt field


  • New storageEncrypted field
  • New storageAllocated field
  • New storageIops field
  • New storageType field
  • New status field
  • New createdTime field
  • New backupRetentionPeriod field
  • New autoMinorVersionUpgrade field
  • New clusterDbInstanceClass field
  • New engine field
  • New engineVersion field
  • New publiclyAccessible field
  • New multiAZ field
  • New deletionProtection field


  • New engine field
  • New status field
  • New allocatedStorage field


  • New privateDnsEnabled field
  • New state field
  • New createdAt field


  • New createdAt field
  • New destination field
  • New maxAggregationInterval field
  • New trafficType field


  • New tags field


  • New assignIpv6AddressOnCreation field
  • New state field


  • Default fields now display login, name, email, and company​

  • New visibility field


  • New externalInOutlook field


  • New resource with identity, allowList, and enabled fields


  • New resource with allowAnonymousUsersToJoinMeeting, allowAnonymousUsersToStartMeeting, autoAdmittedUsers, allowPSTNUsersToBypassLobby, meetingChatEnabledType, designatedPresenterRoleMode, allowExternalParticipantGiveRequestControl, and allowSecurityEndUserReporting fields


  • New resource with identity, blockedDomains, allowFederatedUsers, allowPublicUsers, allowTeamsConsumer, allowTeamsConsumerInbound, treatDiscoveredPartnersAsUnverified, sharedSipAddressSpace, and restrictTeamsConsumerToExternalUserProfiles fields


  • New onPremisesSyncEnabled field


  • A new resource that simplifies accessing channel, direct message, and group message data. This replaces the conversations field in the slack resource.

German/Italian support in Windows Security policy​

We've reworked our Windows Security policy to fully support both Windows Server and Workstation editions with the language set to either German or Italian.

New checks in HTTP Security policy​

Our HTTP security policy now includes additional checks to ensure that Content Security Policy (CSP) and Strict-Transport-Security (HSTS) headers are set. New groups in this policy ensure that checks are grouped by protocol and only enabled when appropriate.

Complete Microsoft 365 scanning, anywhere​

Sit back for a moment while I put on my engineer's hat. Sometimes, APIs are hard. Perhaps the best example is Microsoft 365. Some data can be retrieved using their Golang SDK, but much of the API can only be accessed through PowerShell.

Until now, Mondoo queried the necessary data using both methods and returned MQL as if it were easyβ€”that isβ€”if you were on Windows with PowerShell. On Linux, macOS, or using a Mondoo integration, queries that relied on PowerShell-gathered data failed.

But no more! cnquery and cnspec now query Microsoft 365 data using PowerShell installed on macOS / Linux systems so that Mondoo Platform integrations now successfully run these queries.


  • Don't allow creating an exception for a control/asset/check more than once.
  • Resolve multiple edge cases in multi-select when setting up exceptions.
  • Improve the rendering of code blocks in the console.
  • Improve performance loading pages in the console.
  • Add validation of IP addresses in the Domain/IP integration.
  • Don't remove previously rejected exceptions when removing the current exception.
  • Fix detecting platform IDs for Kubernetes operator manifests.
  • Reduce network traffic when scanning assets with cnspec.
  • Fix failures setting sudo to active in an inventory file.
  • Add API retries to the Slack resources to better handle throttling while querying large amounts of data.
  • Improve the suggestion text when checks, assets, or data queries tabs are empty in Compliance Hub.
  • Fix failures running cnspec vuln.
  • Add back the feature flag for Kubernetes node scanning that was accidentally removed in the 9.0 release.

Β· 5 min read

πŸ₯³ Mondoo 9.11 is out! This release includes continuous domain/IP scanning, new and expanded AWS resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Continuous domain and IP scanning​

New continuous domain and IP scanning ensures the security and compliance of your external web properties.

Domain Scan Integration

Scan these endpoints using out-of-the-box SSL/TLS, DNS, and HTTP security policies to ensure your properties meet security best practices. Protect against common endpoint security mistakes such as:

  • Certificates nearing their expiration date
  • Insecure TLS releases or ciphers
  • Missing X-Content-Type-Options in HTTP headers

Domain Scan Result

Domain and IP scans don't stop with just security. These scan results are automatically mapped to compliance controls such as SOC 2 type 2's CC6.7.2: Uses Encryption Technologies or Secure Communication Channels to Protect Data. This provides continuous compliance for your web properties.

New AWS Web Application Firewall (WAF) resource​

Secure Amazon's Web Application Firewall (WAF) service with new Mondoo WAF resources. These resources allow you to query WAF ACLs, Rules, RuleGroups, and IP Sets.

See the AWS Resource Pack documentation for a complete list of new WAF resources.

Load policies from AWS S3 buckets​

Want to run custom policies across multiple systems without storing those policies in the Mondoo Platform's Registry? Now you can load policies in cnspec directly from AWS S3 buckets.

Specify an entire bucket and cnspec picks the correct policy:

cnspec scan -f s3://mysupernotexistingbucket1234567

Or specify the exact policy file in your bucket:

cnspec scan -f s3://mysupernotexistingbucket1234567/packs.mql.yaml


New fields and defaults in AWS resources​


  • Improve default values
  • New enaSupported field
  • New hypervisor field
  • New instanceLifecycle field
  • New rootDeviceType field
  • New rootDeviceName field
  • New architecture field


  • Improve default values
  • New multiAttachEnabled field
  • New throughput field
  • New size field
  • New iops field


  • Improve default values
  • New volumeSize field
  • New description field
  • New encrypted field


  • New retentionInDays field


  • Improve default values


  • New isDefault field
  • New tags field

New GitHub pull request query capabilities​

New fields in the GitHub resource give you fine-grained control over queries for GitHub pull requests.

First, connect to your GitHub repository with the cnquery shell:

cnquery shell github repo mondoohq/cnspec

Once you're connected to the GitHub repo in cnquery, you can query pull requests in a few different ways.

Query individual pull requests by number:

cnquery> github.mergeRequest(number: 1){ number state title }
github.mergeRequest: {
number: 1
title: "🧹 update command line help"
state: "closed"

Query all closed pull requests:

cnquery> github.repository.closedMergeRequests
github.repository.allMergeRequests: [
0: github.mergeRequest id=1640488170 state="closed"
1: github.mergeRequest id=1638254852 state="closed"
2: github.mergeRequest id=1638253038 state="closed"



Query all closed and open pull requests:

cnquery> github.repository.allMergeRequests
github.repository.allMergeRequests: [
0: github.mergeRequest id=1640488170 state="closed"
1: github.mergeRequest id=1640302075 state="open"
2: github.mergeRequest id=1638694955 state="open"



Improve bucket JSONL export​

Do you export your Mondoo data through one of our storage integrations? We've made it easier for you to process these exports in systems like Splunk or ELK: We added ExportedAt and asset_mrn fields:

"mrn": "//",
"asset_mrn": "//",
"name": "",
"platform_name": "host",
"error": "",
"score_updated_at": "2023-12-06T14:03:51Z",
"updated_at": "2023-12-06T14:03:51Z",
"labels": {
"": "//"
"annotations": null,
"exported_at": "2023-12-06T15:12:57.619506985Z"

Alpine 3.19 support​

On December 7th the Alpine Linux team released Alpine Linux 3.19 with an updated Kernel and new versions of common language packages. Mondoo includes support for this latest release with EOL and CVE detection. Learn more about what's new in this updated version at

Ignore .terraform directory during scans​

Want to scan Terraform files in a project directory, but the pesky .terraform directory is getting in your way? Now you can ignore files in the .terraform directory with the new --ignore-dot-terraform flag.


  • Improve the display of categories in integrations during setup and on the integrations page.
  • Improve the UI on the space registration token page when no tokens have been created.
  • In audit log entries, include the asset on which the action occurs.
  • Improved registry search results for policies and query packs.
  • Detect Kali Linux systems running on AWS.
  • Display more than 100 spaces on the organization page.
  • Fix incorrect EOL asset counts on the organization dashboard.
  • Don't double-log failures to find SSH keys from the SSH agent in cnspec/cnquery.
  • Performance improvements loading spaces and assets in the console.
  • Fix tooltips for space and organization tokens to show the right messages.
  • Show the GCP icon for Google Container Optimized policies.
  • Use the latest Microsoft 365 logo on all integration pages.
  • Add the Okta logo to the integration page.
  • Fix + icon in the Okta integration to go directly to the Okta integration setup page.
  • Report Kali Linux as a rolling release without an EOL date.
  • Fix cannot convert primitive with NO type information error in github.mergeRequest resource.
  • Update host resources to show as Network Hosts in the console instead of Network API.
  • Properly display ReadOnlyPort value in k8s.kubelet.configuration resource when it is 0.
  • Fix caCertFile in k8s.kubelet resource to be in "authentication" and not "authorization".
  • Fix URL links from cnspec failing to load if you had previously loaded a different space.

Β· 5 min read

πŸ₯³ Mondoo 9.10 is out! This release includes compliance evidence PDF reports, exceptions for policies/assets, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Compliance evidence report generation in PDF format​

Prove compliance to your auditors with PDF evidence reports. Now you can export reports from any control page or export an archive containing controls for your whole compliance framework.

Generate a report

These reports are specifically formatted for auditors and ready for attachment to GRC systems or other auditor evidence upload solutions.

View a report

We've got you covered with secure storage as well, so you can share reports between team members without insecure email attachments or unauthenticated URLs.

Store a report

Exceptions for assets and policies​

The power and visibility of compliance exceptions is now available outside of compliance: You can now set exceptions for checks on assets and security policies. Asset and policy exceptions enable cross-team visibility and allow more granularity in how you prioritize your work.

Improve visibility with detailed explanations of why exceptions were created, approvals, and detailed logging. You never have to ask again who made a change and why.

Improved visibility

Prioritize your work with time-based snoozing: Turn off a check temporarily while you work on more important issues, but don't let it fall through the cracks.

Improved Granularity

New CIS Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks​

Secure your Windows Azure environment using the new Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks. These benchmarks specifically target the security of Windows 2019 and 2022 Datacenter editions, using Azure's secure configuration guide settings. Each benchmark consists of domain and member server policies containing over 200 Azure-tailored checks.

New CIS ESXi 8.0 Benchmark v1.0.0​

Are you upgrading your VMware deployments to version 8.0? Mondoo has you covered with the new CIS ESXi 8.0 Benchmark version 1.0. This updated policy includes 86 checks tailored to the latest VMware release.


Updated RHEL/Oracle/Rocky/AlmaLinux 8 Benchmarks​

Keep your RHEL 8 compatible servers secure with the new 3.0 release of CIS benchmarks for Red Hat Enterprise Linux, Oracle Linux, AlmaLinux, and Rocky Linux. These new policies are complete reworks of the existing CIS benchmarks with hundreds of new and updated checks.

MQL containsNone with an array of regular expressions​

Now you can avoid long, chained MQL queries that check multiple regular expressions. Instead, specify an array of regular expressions:

field.containsNone( [ /a/, /.*b/ ] )


  • Provide friendly error messages if invalid time values for token expiration are entered.
  • Clarify what search values are supported on the compliance controls page.
  • Improve table headings for affected assets on the vulnerabilities pages.
  • Don't reset the pagination back to the first page when enabling/disabling a policy in the registry.
  • Update all policy icons to be full-color for consistency.
  • Fix different scan behaviors between container and docker providers that caused failures when scanning containers.
  • Don't fail when using .contains in queries if the dict value is empty.
  • Fix container image asset names changing between 8.x and 9.x client scans.
  • Fix an error in the aws.iam.policies resource when fetching attachedGroups data.
  • Support quitting the cnquery/cnspec shells with the quit command.
  • Fix failures when running cnquery login.
  • Add additional data to the aws.iam.attachedPolicies resource.
  • Improve cnspec bundle fmt to format markdown in documentation fields and optionally sort checks by name.
  • Fix a failure in cnspec if two policies use the same query UID.
  • Don't show rejected exceptions as active exceptions when scanning in cnspec.
  • Fix the width of the scanning progress bar to show the score result.
  • Fix theEnsure updates, patches, and additional security software are installed query in the CIS Distribution Independent Linux policy to work with Photon.
  • Fix a failure when running asset{*} on some non-operating system assets.
  • Improve the titles of many inventory query pack queries.
  • Improve the form validation behavior in Azure, Okta, OCI, Microsoft 365, and GitHub integration pages.
  • Add missing badges and a description to the Slack integration setup page.
  • Fix failures in the aws.acm.certificates resource.
  • Don't run the TLS security policy on non-host network assets.
  • Ensure that AIX, FreeBSD, Fedora, Kali Linux, Scientific Linux, Pop!_OS, and EuroLinux assets are grouped as operating systems in inventory.
  • Fix rejected compliance exceptions still showing as exceptions on the controls.
  • Improve performance throughout the Mondoo Console.
  • Add EOL detection for EuroLinux assets.
  • Add platform vulnerability detection for the Windows 23H2 release.
  • Ensure audit logs are generated for space create/delete events and add logging when changing space and organization owners.
  • Improve asset group display for GitLab assets.
  • Fix a failure running the cnspec vuln command.
  • Display all spaces when an organization includes more than 25 spaces.
  • Allow the network provider to run with an inventory file.
  • Improve the policy page UI when a policy is enabled, but hasn't yet run on any assets.
  • Fix a UI error when generating a non-expiring registration token.