Skip to main content

141 posts tagged with "mondoo"

View All Tags

Β· 5 min read

πŸ₯³ Mondoo 9.10 is out! This release includes compliance evidence PDF reports, exceptions for policies/assets, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Compliance evidence report generation in PDF format​

Prove compliance to your auditors with PDF evidence reports. Now you can export reports from any control page or export an archive containing controls for your whole compliance framework.

Generate a report

These reports are specifically formatted for auditors and ready for attachment to GRC systems or other auditor evidence upload solutions.

View a report

We've got you covered with secure storage as well, so you can share reports between team members without insecure e-mail attachments or unauthenticated URLs.

Store a report

Exceptions for assets and policies​

The power and visibility of compliance exceptions is now available outside of compliance: You can now set exceptions for checks on assets and security policies. Asset and policy exceptions enable cross-team visibility and allow more granularity in how you prioritize your work.

Improve visibility with detailed explanations of why exceptions were created, approvals, and detailed logging. You never have to ask again who made a change and why.

Improved visibility

Prioritize your work with time-based snoozing: Turn off a check temporarily while you work on more important issues, but don't let it fall through the cracks.

Improved Granularity

New CIS Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks​

Secure your Windows Azure environment using the new Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks. These benchmarks specifically target the security of Windows 2019 and 2022 Datacenter editions, using Azure's secure configuration guide settings. Each benchmark consists of domain and member server policies containing over 200 Azure-tailored checks.

New CIS ESXi 8.0 Benchmark v1.0.0​

Are you upgrading your VMware deployments to version 8.0? Mondoo has you covered with the new CIS ESXi 8.0 Benchmark version 1.0. This updated policy includes 86 checks tailored to the latest VMware release.


Updated RHEL/Oracle/Rocky/AlmaLinux 8 Benchmarks​

Keep your RHEL 8 compatible servers secure with the new 3.0 release of CIS benchmarks for Red Hat Enterprise Linux, Oracle Linux, AlmaLinux, and Rocky Linux. These new policies are complete reworks of the existing CIS benchmarks with hundreds of new and updated checks.

MQL containsNone with an array of regular expressions​

Now you can avoid long, chained MQL queries that check multiple regular expressions. Instead, specify an array of regular expressions:

field.containsNone( [ /a/, /.*b/ ] )


  • Provide friendly error messages if invalid time values for token expiration are entered.
  • Clarify what search values are supported on the compliance controls page.
  • Improve table headings for affected assets on the vulnerabilities pages.
  • Don't reset the pagination back to the first page when enabling/disabling a policy in the registry.
  • Update all policy icons to be full-color for consistency.
  • Fix different scan behaviors between container and docker providers that caused failures when scanning containers.
  • Don't fail when using .contains in queries if the dict value is empty.
  • Fix container image asset names changing between 8.x and 9.x client scans.
  • Fix an error in the aws.iam.policies resource when fetching attachedGroups data.
  • Support quitting the cnquery/cnspec shells with the quit command.
  • Fix failures when running cnquery login.
  • Add additional data to the aws.iam.attachedPolicies resource.
  • Improve cnspec bundle fmt to format markdown in documentation fields and optionally sort checks by name.
  • Fix a failure in cnspec if two policies use the same query UID.
  • Don't show rejected exceptions as active exceptions when scanning in cnspec.
  • Fix the width of the scanning progress bar to show the score result.
  • Fix theEnsure updates, patches, and additional security software are installed query in the CIS Distribution Independent Linux policy to work with Photon.
  • Fix a failure when running asset{*} on some non-operating system assets.
  • Improve the titles of many inventory query pack queries.
  • Improve the form validation behavior in Azure, Okta, OCI, Microsoft 365, and GitHub integration pages.
  • Add missing badges and a description to the Slack integration setup page.
  • Fix failures in the aws.acm.certificates resource.
  • Don't run the TLS security policy on non-host network assets.
  • Ensure that AIX, FreeBSD, Fedora, Kali Linux, Scientific Linux, Pop!_OS, and EuroLinux assets are grouped as operating systems in inventory.
  • Fix rejected compliance exceptions still showing as exceptions on the controls.
  • Improve performance throughout the Mondoo Console.
  • Add EOL detection for EuroLinux assets.
  • Add platform vulnerability detection for the Windows 23H2 release.
  • Ensure audit logs are generated for space create/delete events and add logging when changing space and organization owners.
  • Improve asset group display for GitLab assets.
  • Fix a failure running the cnspec vuln command.
  • Display all spaces when an organization includes more than 25 spaces.
  • Allow the network provider to run with an inventory file.
  • Improve the policy page UI when a policy is enabled, but hasn't yet run on any assets.
  • Fix a UI error when generating a non-expiring registration token.

Β· 3 min read

πŸ₯³ Mondoo 9.9 is out! This release includes experimental SBOM support, platform/package CPE data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Experimental SBOM generation​

cnquery includes new experimental support for generating software bills of materials (SBOMs). You can generate SBOMs against your local system or containers, mounted filesystems, vagrant boxes, and remote systems over SSH or WinRM.

By default the SBOM prints in list format in the CLI:

cnquery sbom local
β†’ This command is experimental. Please report any issues to
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
β†’ discover related assets for 1 asset(s)

lunalectric-test ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%

pypi/Jinja2/2.11.3 /usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO
pypi/LibAppArmor/2.13.6 /usr/lib/python3/dist-packages/LibAppArmor-2.13.6.egg-info
pypi/Mako/1.1.3 /usr/lib/python3/dist-packages/Mako-1.1.3.egg-info/PKG-INFO
pypi/Markdown/3.3.4 /usr/lib/python3/dist-packages/Markdown-3.3.4.egg-info/PKG-INFO
pypi/MarkupSafe/1.1.1 /usr/lib/python3/dist-packages/MarkupSafe-1.1.1.egg-info/PKG-INFO
pypi/PyGObject/3.38.0 /usr/lib/python3/dist-packages/PyGObject-3.38.0.egg-info/PKG-INFO
pypi/PyYAML/5.3.1 /usr/lib/python3/dist-packages/PyYAML-5.3.1.egg-info

Using the --output flag you can control the output format with support for cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, and table formats.

cnquery sbom local --output spdx-json
β†’ This command is experimental. Please report any issues to
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
β†’ discover related assets for 1 asset(s)

lunalectric-test ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%

"spdxVersion": "SPDX-2.3",
"dataLicense": "",
"name": "",
"documentNamespace": "",
"creationInfo": {
"creators": [
"Tool: cnquery"
"created": "2023-11-28T22:47:07Z"
"packages": [
"name": "Jinja2",
"SPDXID": "SPDXRef-Package-pypi-Jinja2-2e4a538b3939365a",
"versionInfo": "2.11.3",
"packageFileName": "/usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO",
"downloadLocation": "",
"filesAnalyzed": false,
"licenseDeclared": "2.11.3",
"externalRefs": [
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:jinja2_project:jinja2:2.11.3:*:*:*:*:*:*:*"
"referenceCategory": "SECURITY",
"referenceType": "purl",
"referenceLocator": "pkg:pypi/Jinja2@2.11.3"


Platform and package CPE data​

To power our new SBOM capabilities, Mondoo's asset and package resources now include Common Platform Enumeration (CPE) data that uniquely identifies the platform of the system and packages. Learn more about CPE on the NIST National Vulnerability Database CPE page.

Asset CPEs:

cnquery> asset.cpes
asset.cpes: [
0: cpe uri="cpe:2.3:o:debian:debian_linux:11.8:*:*:*:*:*:*:*"

OS package CPEs:

cnquery> packages{name cpes}
packages.list: [
0: {
name: "acl"
cpes: [
0: cpe uri="cpe:2.3:a:acl:acl:2.2.53-10:amd64:*:*:*:*:*:*"


  • Fix authentication failures in some AWS resources.
  • Allow updating tokens in GitLab integrations.
  • Fix a false positive in the CIS macOS Ensure Show Wi-Fi status in Menu Bar Is Enabled check.
  • Fix the CIS Distribution Independent Linux policy Ensure updates, patches, and additional security software are installed check to run properly on Debian-based systems.
  • Show the number of assets for a policy, not the number of checks, on the Security -> Policies page.
  • Open CVE source links in new windows.
  • Remove extra white space on CVE pages with short descriptions.
  • Improve reliability of queries in the Mondoo Linux Security policy
  • Improve query titles in asset inventory query packs.

Β· 6 min read

πŸ₯³ Mondoo 9.8 is out! This release includes automated compliance inventory gathering, AIX support, a new CVE view, plus a whole lot more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Automated compliance inventory gathering​

Your audit goes beyond security checks; now so does Mondoo, with continuous infrastructure inventory gathering mapped automatically to top compliance frameworks. Compliance Hub controls now include a Data Queries tab listing inventory data from query packs. This inventory data is gathered automatically from the cnspec CLI or from integrations like AWS, GitHub, or Kubernetes. Inventory data fills key requirements from auditors to ensure your infrastructure is compliant, such as gathering AWS VPC configuration to prove SOC 2 CC6.1.5 or asset inventory data for CC6.1.1.

SOC 2 control with data queries:

SOC 2 control with data queries

Drill into a data query to see the query detail and the assets for which it gathered data:

Data queries page

New result scoring design​

The list of security findings was often presented and sorted in a confusing way. Successful security checks would often be listed above failed checks and errors and skipped checks were mixed into the list at seemingly random. This was due to the previous prioritization focusing more on the impact of checks, rather than the success or failure of its finding.

Scoring example

The new system is focused on prioritizing the most impactful actions. We now sort everything by failed checks first, followed by errors, then successful checks, and finally anything that is ignored or disabled. This means that the list now prioritizes the most critical failed findings.

We also improved the colors. If it looks like a successful check, it is now consistently green. If it looks like a red alarm, it's definitely a critical failed check.

Here's an overview of this new scoring system:

Scoring overview

New asset scorecard design​

When progress isn't lightning-fast, it's important to track small wins. With this in mind, we've redesigned our asset policy cards to better show progress made towards securing systems. The new design removes the score number from the cards and instead shows the number of passing and failing checks, so you can track progress without the need to dive into the list of all checks on an asset.

Asset with new scorecards

New security policies page​

When we built the security policies page, our goal was to give users a single location where they could see all asset scores for policies in their space and control how those policies ran.

This week, we updated that page to make it easier to identify failing assets for each policy quickly:

Policies Page

The updated page also allows you to disable a policy or set it to preview without leaving the policies page:

Changing Policies

New CVE view​

Out with the old and in with the new is the theme of the Mondoo 9.8 release, so why not update one of our oldest components? It's time for a whole new CVE page! A fresh, new design makes it easier to understand the impact of a CVE.

CVE Page

AIX 7.1 and 7.2 support​

Kubernetes and serverless may be all the rage, but mainframes power the world. Now you can secure your AIX mainframes with Mondoo. We've updated cnquery and cnspec with new remote scan capabilities for AIX and bundled CIS AIX 7.1 and 7.2 benchmark policies, allowing you to quickly evaluate the security and compliance of your AIX systems.

AIX Asset

New BSI SiSyPHuS Windows 10 policy​

Mondoo now includes a new BSI SiSyPHuS Windows 10 policy based on BSI's SiSyPHuS Win10 - Study on system design, logging, hardening and security features in Windows 10 - Configuration Recommendations document. This policy includes 363 queries with impact scores and remediation steps. The checks map to all Mondoo supported compliance frameworks, including BSI's Cloud Computing Compliance Controls Catalog (C5) framework.


Expanded resource fields​

Whether you're writing custom security policies or exploring your infrastructure with cnquery shell, it's important to have all the data possible for assets. This week, we further expand some of our most popular assets with additional fields, giving you greater insight into your infrastructure.


  • productAccess - Product access
  • status - Status​

  • minSize - The minimum number of instances to scale down to
  • maxSize - The maximum number of instances to scale up to
  • defaultCooldown - The time to wait after scaling up / down before the next scaling event is started
  • launchConfigurationName - The name of the launch configuration
  • healthCheckGracePeriod - The grace period in seconds before an instance with a failing health check will be replaced
  • createdAt - Time when the autoscaling group was created


  • platformType - The type of for the SSM Instance, as described by AWS (Windows, Linux, etc)
  • platformVersion - Platform version for the SSM Instance, as described by AWS


  • ruleNumber - The rule number
  • cidrBlock - CIDR block for the ACL entry


  • tenantDomainName - The connected tenant's default domain name

package / python.package​

Expanded EOL date data​

Mondoo includes the latest EOL dates for distributions so you can ensure your systems receive critical security updates.

  • macOS 11 EOL date of September 26, 2023
  • FreeBSD 12.4 EOL date of December 31, 2023


  • Fix the coloring of code blocks in print mode.
  • Rename SOC2 to SOC 2 in policies and frameworks.
  • Improved reliability in Windows CIS security checks.
  • Improve SOC 2 security check mapping.
  • Fix select all checkbox behavior in compliance frameworks to only select the visible controls on the page.
  • Use the time datatype instead of string in the Atlassian provider for better resource output.
  • cnspec bundle fmt now preserves comments on the first line of the policy file.
  • Update providers when cnspec is scanning as a service (serve mode).
  • Fix CIS Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' check failures.
  • Don't show the same policy twice for a single check in Compliance Hub.
  • Fix example scan flags for Kubernetes on the workstation integration page.
  • Only show the create space button on the organizations page if the user has permission to create a space.
  • Don't require all data to be reentered when updating a Jira integration.
  • Improve the performance of loading CVE and advisory data.
  • Add new preview HTTP Security policy.
  • Improve the reliability of organization dashboard graphs for some spaces.

Β· 5 min read

πŸ₯³ Mondoo 9.7 is out! This release includes a new compliance UI, expanded resources, and even more CVE data!​

Get this release: Installation Docs | Package Downloads | Docker Container


New compliance exceptions UI​

We've reworked the compliance exceptions system to make it easier to understand when exceptions have been set and what that means for your compliance data collection.

Each control includes a new Set Exception button so you can quickly create exceptions directly from framework control pages.

Set Exception

For controls with an exception set, the UI now communicates which type of exception has been set: snooze or disable. It gives a quick description of how the exception affects compliance data collection. The details of the exception are also shown directly on the control page, allowing you to accept, reject, or delete the exception without needing to dig through the exceptions tab.

Active exception state

Run local query packs from cnspec​

Want to quickly test a custom query pack you've written? Now it's easier than ever because you can run a local query pack directly from cnspec:

cnspec scan -f example-pack.mql.yaml
β†’ no provider specified, defaulting to local. Use --help to see all providers.
β†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
β†’ using service account credentials
β†’ discover related assets for 1 asset(s)

Asset: Luna-Laptop.local

Data queries:
packages.where.list: [
0: package name="ssh" version=""
services.where.list: [
0: service name="com.openssh.ssh-agent" running=true enabled=true type="launchd"
sshd.config.params: {
AcceptEnv: "LANG LC_*"
AuthorizedKeysFile: ".ssh/authorized_keys"
Subsystem: "sftp /usr/libexec/sftp-server"
UsePAM: "yes"

Scanned 1 asset

U Luna-Laptop.local


Atlassian asset grouping​

Atlassian admin, Jira, Confluence, and SCM assets scanned with cnspec are now grouped as Atlassian assets in the console. This helps you quickly find all your Atlassian assets.

Atlassian Asset Group

Ubuntu 23.10 EOL/CVE detection​

Ubuntu 23.10 is out, and Mondoo is ready with EOL reporting and CVE detection now available for this latest Ubuntu release. See our blog post What's New in Security for Ubuntu 23.10 to learn more about this release's great new security features.

Raspbian 11 and 12 CVE detection​

cnspec scans on Raspbian 11.x and 12.x releases now include important CVE data on both the CLI and in the console, so you can keep your Raspberry Pi hobby and IoT projects secure.

Better application of CIS Distribution Independent Linux Benchmark policy​

The CIS Distribution Independent Linux Benchmark policy is a fantastic alternative Linux security policy to use when your operating system distribution or specific version is not supported by one of the main CIS Linux benchmarks. Thanks to new filters, you can now apply this policy in any space and rest assured it will only apply to systems for which more specific CIS benchmark policies aren't available. This means that now you can always have security and compliance data available, even when you're running distros that are a bit off the beaten path, such as non-LTS Ubuntu releases, Arch Linux, or Raspbian.

New AWS resource fields​

AWS resources include new default values to improve data pack queries and navigation in the cnquery/cnspec shell. The resources also have many new fields to expose valuable asset inventory data:


  • enabled
  • httpVersion
  • isIPV6Enabled
  • priceClass


  • createdAt
  • deletionProtectionEnabled
  • globalTableVersion
  • id


  • createdAt
  • lastResourceAnalyzed
  • lastResourceAnalyzedAt

  • region


  • createdAt
  • encryptionKeyArn
  • locked
  • region


  • Ensure asset groups display correctly as new assets are added or deleted.
  • Show the correct status badges on the Managed Clients page.
  • Fix incorrect EBS volume scan regions.
  • Fix a failure to display asset scores for EBS volume scans.
  • Add the ability to list processes on Windows systems in the ports.listening resource.
  • Fix EKS node checks not correctly executing in the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark policies.
  • Improve reliability of checks within the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark policies.
  • Fix failures in CIS macOS Benchmark policies' "Ensure Pop-up Windows Are Blocked" and "Ensure Show Status Bar Is Enabled" checks.
  • Fix VMware vSphere CVE detection with cnspec 8.x clients.
  • Return a 100 (A) score when no CVEs are detected on a system.
  • Fix CIS rsyslog checks to fail instead of erroring when the rsyslog config is not found.
  • Improve chrony configuration detection in the Operational Best Practices for Time Synchronization policy.
  • Better detect when journald is running in the Ensure journald is not configured to receive logs from a remote client check.
  • Improve titles of queries in multiple query packs.
  • Fix failures in some JSON data exports due to malformed JSON data.
  • Fix failures detecting the platform on some remote scans.
  • Improve shell help content for many resources.

Β· 4 min read

πŸ₯³ Mondoo 9.6 is out! This release includes Console asset query packs, Subject Alternative Name support for certificates, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Asset inventory at your fingertips​

Query pack data now displays directly in the Mondoo Console for all assets. Explore asset configuration with the two dozen out-of-the-box query packs available in the registry. If you don't find what you're looking for there, write your own query packs to expose additional asset inventory information directly in the console.

Browse the results of asset inventory query packs with a new Data Queries tab on the individual asset view.

Asset data queries


Expanded certificate resource capabilities​

The tls.certificates resource now supports the PKIX Subject Alternative Name (SAN) extension, as well as the Subject Key Identifier (SKID) extension.

cnspec shell host
cnspec> tls.certificates { sanExtension { * }}
tls.certificates: [
0: {
sanExtension: {
uris: []
extension: pkix.extension id = 5842ac625349147af543f8049f60497ca270c0412667bbeb1042482e805069f9:
emailAddresses: []
dnsNames: [
0: "*"
1: "*"
2: "*"
3: "*"
4: "*"
5: "*"
6: "*"
7: "*"
8: "*"
1: {
sanExtension: null
2: {
sanExtension: null

Expanded cnspec status information​

Running cnspec status now prints the version number of the latest available release and a list of all installed providers. If the currently installed and latest releases don't match, the status indicates that a newer version is available for download.

./cnspec status
β†’ no Mondoo configuration file provided, using defaults
β†’ Platform: ubuntu
β†’ Version: 22.04
β†’ Hostname: localhost
β†’ IP:
β†’ Time: 2023-11-01T13:36:01+01:00
β†’ Version: 9.6.0 (API Version: 9)
β†’ Latest Version: 9.6.1
! A newer version is available
β†’ Installed Providers: terraform | aws | atlassian | gcp
β†’ Outdated Providers: terraform | aws | atlassian
β†’ API ConnectionConfig:
β†’ API Status: SERVING
β†’ API Time: 2023-11-01T12:36:02Z
β†’ API Version: 9


  • Vulnerabilities results no longer show assets that are not impacted.
  • Fix colorblind mode being enabled for all users.
  • Add data validation for AWS Access Key ID and Secret Access Key values in the S3 export integration.
  • Improve asset links in Compliance Hub to go directly to the check or data query on the asset.
  • Fix tls.certificates returning null data incorrectly.
  • Fix AWS EC2 instance names not properly registering.
  • Improve default values in the azure.subscription.monitorService.applicationInsight resource.
  • Don't display a policy's main documentation when viewing the variant.
  • Improve form validation for integrations to only run after all text has been entered.
  • Improve formatting on the policy recommendation pages for integrations.
  • Fix text input boxes that could not be read in the Azure integration.
  • Improve the error message when an organization or space user cannot be removed.
  • Don't fail when running policies from the public registry that use asset filters.
  • Don't fail if a query packs has no description.
  • Don't fail if a policy group has checks, but not data queries.
  • Fix a failure when scanning AWS EBS volumes.
  • Fix incorrect runtime information being reported for AWS assets.
  • Fix service checks to work on masked systemd services and services that end in .service
  • Expand SOC2 policy coverage
  • Improve data returned from the Azure Inventory Query Pack.
  • Improve the reliability of queries in the CIS AKS Benchmarks policies.
  • Wrap instead of cutting off long property values in the registry.
  • Use the custom image defined in the Kubernetes operator's MondooAuditConfig section.
  • Fix garbage collection of old Kubernetes assets not running.
  • Fix scanning of GKE nodes from the Kubernetes operator.

Β· 6 min read

πŸ₯³ Mondoo 9.5 is out! This release includes VMware vSphere security advisory detection, expanded AWS/Azure/Okta resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


VMware vSphere CVE detection​

Mondoo now includes support for tracking CVEs and security advisories on VMware vSphere installations, so you can keep your most important on-premises assets secure. You'll automatically see CVE/advisory information on VMware vSphere assets in the Mondoo Console and you can scan assets manually on the command line to view this data as well:

cnquery shell vsphere USER@luna.dmz -p FOO
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> asset.vulnerabilityReport
asset.vulnerabilityReport: {
platform: {
build: "18778458"
name: "vmware-vsphere"
release: "7.0.3"
title: "VMware vSphere 7.0.3"
published: "2023-10-26T13:18:39Z"
stats: {
advisories: {}
cves: {}
exploits: {}
packages: {}
asset.vulnerabilityReport: {
advisories: [
0: {
ID: "VMSA-2022-0004"
Mrn: "//"
cves: [
0: {
ID: "CVE-2021-22041"
Mrn: "//"
cvss: [
0: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
worstScore: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"



New AWS resource fields and defaults​

The aws.vpc.subnet resource now includes information on the subnet's availability zone so you can better understand where subnets are located.

cnquery> aws.vpcs.first.subnets{*}
aws.vpcs.first.subnets: [
0: {
arn: "arn:aws:ec2:ap-south-1:177043123456:subnet/subnet-b231234"
id: "subnet-b231234"
cidrs: ""
mapPublicIpOnLaunch: true
defaultForAvailabilityZone: true
availabilityZone: "ap-south-1c"

We've also improved the default values returned by many AWS resources to give you better output in the cnquery shell as well as query packs. These updated defaults expose AWS resource IDs, regions, availability zones, and other metadata that makes understanding your AWS infrastructure easier with Mondoo. Enable the AWS Asset Inventory Pack in your spaces to see this improved asset inventory data today.

Improved resource output for Azure​

New default values in Azure resources make exploring asset configuration in the cnquery shell or the resource explorer better than ever. You'll see new improved output on Azure VMs that show OS and hardware types. We've also expanded NIC and disk resources to show information such as the disk size/type and the NIC MAC address type.

cnquery> azure.subscription.computeService.vms.first
azure.subscription.computeService.vms.first: azure.subscription.computeService.vm name="Windows-VM-5n6o" location="eastus" properties.hardwareProfile.vmSize="Standard_DS2_v2" properties.storageProfile.osDisk.osType="Windows"

cnquery> azure.subscription.computeService.disks.first
azure.subscription.computeService.disks.first: azure.subscription.computeService.disk name="Windows-VM-OsDisk-5n6o" location="eastus" properties.osType="Windows" properties.diskSizeGB=127.000000 properties.diskState="Attached"

cnquery> azure.subscription.networkService.interfaces.first
azure.subscription.networkService.interfaces.first: azure.subscription.networkService.interface name="Windows-VM-NIC-5n6o" location="eastus" properties.macAddress="60-45-BD-D7-7E-53" properties.nicType="Standard"

Expanded Okta group and role capabilities​

We've expanded the capabilities of our Okta provider and resources to make it easier to query your Okta configuration. You can now query Okta groups along with their roles and members using the okta.groups resource:

cnspec> okta.groups.where( =="SUPER_ADMIN")) { name roles { * } members members.length < 2 }
okta.groups.where: [
0: {
roles: [
0: {
created: 2023-04-08 22:11:00 +0200 CEST
lastUpdated: 2023-04-08 22:11:00 +0200 CEST
assignmentType: "GROUP"
id: "ABCD1234"
status: "ACTIVE"
label: "Super Administrator"
name: "Super Admins"
members.length < 2: true
members: [
0: okta.user""

You can also check which permissions are assigned to custom roles using the new okta.customRoles resource:

cnspec> okta.customRoles { * }
okta.customRoles: [
0: {
label: "Custom Role"
id: "abc12345678910"
description: "Custom Role"
permissions: []

Improved host scanning​

We've improved host scanning behavior with updates to Mondoo's host provider as well as the http and tls resources used when scanning domains and IPs. These updates make it easier to get started scanning hosts, even when the hosts aren't the best behaving.

  • Default to HTTPS when no protocol information was specified on the CLI. For example, with cnquery shell host cnquery now assumes HTTPS.
  • Improve handling of timeouts when checking TLS certs.
  • Improve error handling and logging when connecting to hosts, parsing TLS certificates, and checking TLS on non-TLS hosts.

Updated macOS CIS Benchmark policies​

It's been just a week since we last updated macOS CIS benchmark policies, but we're back again with new updates including the official release of the CIS macOS 14.0 benchmark. These new benchmarks include improved descriptions/remediation text, more robust queries, and additional checks for Intel Macs. Be sure to check out the improved results in these releases:

  • CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
  • CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
  • CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
  • CIS Apple macOS 14.0 Sonoma Benchmark v1.0.0

Improved Windows EOL dates​

Windows EOL data in Mondoo Platform now tracks Microsoft's enterprise and education support track, which tends to be about one year later than consumer EOL dates. We've also added Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 releases so you can track upcoming EOL dates for all your Windows workstations.

Improved field copy behavior​

Sometimes a user suggests a fix you just can't pass up. User @xorima told us the copy icon in our text fields was hard to read and made copying important text like client installation commands difficult. We retooled the icon to make it better stand out against the text and have a more clear action when the copy was complete. Thanks @xorima!

New copy behavior


  • Group Photon OS assets as operating systems in the Mondoo Console.
  • Fix data queries not always showing the policy or query pack where they were defined.
  • Don't error if the same query pack is specified more than once on the command line.
  • Don't fail if a query pack has no queries to run after platform filters are applied.
  • Properly filter out unsupported queries in a query pack to avoid failures.
  • Map checks from the CIS Distribution Independent Linux benchmark to compliance framework controls.
  • Fix cleanup of old assets scanned by the Mondoo Kubernetes operator.
  • Handle empty report data in the JUnit cnspec reporter.
  • Don't fail scanning a container registry if the container's platform cannot be detected.
  • Fix a failure running the cnspec vuln command.
  • Fix an error fetching the azure.subscription.mySql.server field.
  • Fix Microsoft 365 assets grouping under Unclassified Assets in the console inventory page.
  • Don't show the Schedule Now button for Jira integrations.
  • On the Organization page, sort spaces by name instead of space ID.

Β· 2 min read

πŸ₯³ Mondoo 9.4 is out! This release includes a number of new stability improvements, as well as a number of bug fixes.​

Get this release: Installation Docs | Package Downloads | Docker Container

We encourage you to upgrade to this release as soon as possible since it contains a number of stability improvements.


This release introduces a heartbeat for all providers, which guarantees that terminated providers don't leave behind stale processes in memory. It requires the use of v9.1.x or higher version for all providers. These will update automatically. If you have deactivate automatic updates, please manually update your providers. Please also make sure to update cnquery and cnspec to 9.4.0 since older version of cnquery and cnspec do not use the new heartbeat functionality.

To verify that you are on the latest version:

cnspec version
cnspec 9.4.0 (76a83f8, 2023-10-27T00:24:13Z)

To verify that all provider versions are greater than 9.1.0:

cnspec providers list

β†’ builtin (found 2 providers)

core 9.1.0
mock 9.0.0 with connectors: mock

β†’ /opt/mondoo/providers (found 6 providers)

aws 9.1.0 with connectors: aws
azure 9.1.0 with connectors: azure
gcp 9.1.0 with connectors: gcp
os 9.1.0 with connectors: local, ssh, winrm, vagrant, container, docker, filesystem
terraform 9.1.0 with connectors: terraform
vsphere 9.1.0 with connectors: vsphere

For Windows and Linux services we improved the reliability of the services for cases where cnspec crashes. This is achieved by making sure that the service does not restart too often. The default restart limit is 3 times.


  • Fix --asset-name flag not setting asset names properly.
  • Fix failures compiling query packs that used variants.
  • Improve failures messages when MQL resources or fields cannot be found.
  • Fix failures reading "Never" time in raw data JSON data.

Β· 4 min read

πŸ₯³ Mondoo 9.3 is out! This release includes support for new Azure resources, updated macOS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


New Azure resources​


Updated Packer provider for Mondoo cnspec​

Our Hashicorp Packer cnspec provisioner now uses cnspec 9.x, giving you access to the latest providers and resources directly in your OS image build pipelines.

Updated CIS macOS benchmark policies​

Mondoo now ships with the latest macOS CIS benchmark policies, which include expanded remediation steps, improved descriptions, and more resilient queries:

  • Updated macOS 11 benchmark version to 3.1
  • Updated macOS 12 benchmark version to 2.1
  • Updated macOS 13 benchmark version to 1.1
  • New macOS 14 benchmark (preview) 1.0

Expanded compliance evidence gathering​

We've revamped several of our bundled Mondoo policies with expanded descriptions, improved queries, and best of all, compliance mappings that help you automatically gather evidence no matter what the asset type:

  • TLS/SSL Security Baseline
  • Platform End-of-Life Policy
  • Platform Vulnerability Policy

cnquery run --info flag​

A new --info flag in cnquery allows you to see which resources and fields your MQL queries use.

For example, running this query against the sshd config:

cnquery run -c "sshd.config.params[Version] == mondoo.version" --info

Returns this list of resources and fields:

Resources and Fields used:
- sshd.config
- params
- mondoo
- version


  • Fix failing ARN data queries on aws-ec2-volume assets.
  • Fix asset names from local scans not reporting to the platform.
  • Ensure some empty values in the http resource return null values instead of empty strings.
  • Improve help text in cnspec and cnquery.
  • Fix incorrect compliance check counts in controls.
  • Replace the deprecated CIS Supply Chain Management benchmark policy with the CIS GitHub Level 1 benchmark policy.
  • Add missing Atlassian provider help to cnspec and cnquery.
  • Fix failures querying SCIM data in the Atlassian provider.
  • Fix fetching a list of GitHub users in an organization.
  • Use the GitLab group ID instead of name when fetching data to prevent some failure cases.
  • Fix asset names not capturing properly for some Azure and GCP assets.
  • Report friendly errors when the Atlassian provider does not have the necessary permissions to query data.
  • Add asset.type field to EBS filesystem scans.
  • Prevent query errors when a nonexistent registry key is queried.
  • Ensure cnspec and cnquery use proxies for all traffic when specified.
  • Properly display the asset platform in the status command.
  • Fix failures retrieving secrets from vaults.
  • Fix failures scanning some Kubernetes manifest files.
  • Fix failures setting the AWS platform ID under some circumstances.
  • Group Raspbian assets as operating systems in the console.
  • Improve rendering of user avatars in the console.
  • Use consistent table layouts in the Mondoo Vulnerability Database and the space invitation pages to better match other tables in the console.
  • Save sorting and filtering options in the Mondoo Vulnerability Database when reloaded or bookmarked.
  • Fix failures applying asset annotations passed on the command line.
  • Improve errors from systemd when cnspec fails to start due to missing binaries or configuration files.
  • Don't include the vulnerabilities section on the CLI for unsupported platforms.
  • Update the policy generated by the cnspec bundle init command to be cnspec 9.x compatible.
  • Improve the query results in the Mondoo Kubernetes Cluster and Workload Security policy and remove unnecessary data queries.
  • Improve SOC2 policy check mappings for CIS policies.
  • Add support for macOS systems in the Platform End of Life policy.

Β· 4 min read

πŸ₯³ Mondoo 9.2 is out! This release includes support for securing Atlassian services, a new HTTP resource, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Secure Atlassian services​

Our new Atlassian cnquery/cnspec provider allows you to query the configuration of Atlassian's suite of products, including Jira and Confluence.

Use the Atlassian provider with cnquery shell to connect to your Atlassian URL using a user or admin token:

cnquery shell atlassian --host --admin-token FOO

Some example data you can query using this provider and resources:

atlassian.admin.organizations: [
0: atlassian.admin.organization id="4j1ack42-6c9d-1552-k55a-c2j536j31066"

cnquery> atlassian.jira.users
atlassian.jira.users: [
0: atlassian.jira.user id="5dd64082af96bc0efbe55103"
1: atlassian.jira.user id="630db2cd9796033b256bc349"
2: atlassian.jira.user id="5cb4ae0e4b97ab11a18e00c7"
3: atlassian.jira.user id="557058:f58131cb-b67d-43c7-b30d-6b58d40bd077"
4: atlassian.jira.user id="712020:1bdc8553-00fa-4e1c-8d14-317bbafece92"
5: atlassian.jira.user id="6183312e3e3753006f8c7baf"
6: atlassian.jira.user id="626b14efc72f140069fc636c"
7: atlassian.jira.user id="5b70c8b80fd0ac05d389f5e9"
8: atlassian.jira.user id="5e6a646f5df5fb0cfee33989"
9: atlassian.jira.user id="557058:cbc04d7b-be84-46eb-90e4-e567aa5332c6"
10: atlassian.jira.user id="712020:45d1ce6f-7b4b-4190-8d93-1d709d7203f9"
11: atlassian.jira.user id="5d53f3cbc6b9320d9ea5bdc2"
12: atlassian.jira.user id="557058:950f9f5b-3d6d-4e1d-954a-21367ae9ac75"
13: atlassian.jira.user id="5cf112d31552030f1e3a5905"
14: atlassian.jira.user id="712020:f4b1ca94-1967-48c6-9c22-b04a9e999fae"
15: atlassian.jira.user id="6035864ce2020c0070b5285b"
16: atlassian.jira.user id="60e5a86a471e61006a4c51fd"
17: atlassian.jira.user id="5d9b2860cd50b80dcea8a5b7"
18: atlassian.jira.user id="5d9afe0010f4800c341a2bba"
19: atlassian.jira.user id="626b1500b31e6f006863c12d"
cnquery> "Lunalectric Integration User"

Learn more about the capabilities of this new provider and its resources in the Atlassian resource pack documentation.

Stay tuned for an Atlassian policy bundle that lets you continuously secure your business' Atlassian usage.

New http resource​

Use our new http resource to continuously secure and assure compliance for HTTP endpoints used by your business.

http.get('') { statusCode version header{ xFrameOptions xContentTypeOptions referrerPolicy sts csp['base-uri'] } }


http.get: {
header: {
csp[base-uri]: "'self'"
xContentTypeOptions: "nosniff"
referrerPolicy: "same-origin"
xFrameOptions: "SAMEORIGIN"
sts: http.header.sts maxAge=365 days includeSubDomains=true preload=false
version: "2.0"
statusCode: 200

Learn more about these new fields at our http.get and http.header documentation.


Expanded Azure resources​

Azure networking resources continue to receive updates to expose critical information for security and compliance within your Azure infrastructure:


  • New publicIpAddress property: The public IP address associated with this IP configuration


  • New publicIpAddresses property: List of public IP addresses the NAT gateway is associated with


  • New dhcpOptions property: Virtual network DHCP options
  • New enableDdosProtection property: Indicates if DDoS protection is enabled for all the protected resources in the virtual network.
  • New enableVmProtection property: Indicates if VM protection is enabled for all the subnets in the virtual network

AWS console links let you jump directly from Mondoo scan results to the scanned assets in the AWS console. Use these handy shortcuts to make updates quickly based on Mondoo findings. We've expanded this support with direct console links from Mondoo DynamoDB, KMS, CloudTrail, and EBS volumes assets.


  • Add form value validation to the Organization Settings -> Authentication page.
  • Improve rendering of the form in the Organization Settings -> Authentication page.
  • Improve the performance of AWS account scans.
  • Fix failures scanning AWS DynamoDB tables.
  • Fix failures fetching metadata and connection settings in the Azure Web App Service.
  • Fix a failure that could occur when querying terraform.files.
  • Don't use Microsoft's UPX binary compression for cnquery and cnspec, as some antivirus software incorrectly flags this as malware.
  • Improve handling of null values in resources.
  • Use asset.fqdn as the asset name for the network and arista providers.
  • Use proxy servers to fetch provider updates when available.
  • Fix the copy to table button on CVE pages failing to copy.
  • Fix a failure creating Jira integrations.
  • Improve compliance framework mappings to show additional data.
  • Fix incorrect titles on some Microsoft KBs.
  • Adjust the EOL dates for Amazon Linux 2018 and Debian 9/12.
  • Don't show checks in policies that are not enabled in Compliance Hub control pages.
  • Rework queries in CIS Windows 10/11/2016/2019/2022 policies to improve reliability

Β· 6 min read

πŸ₯³ Mondoo 9.1 is out! This release includes support for private GitLab instance scanning, new Azure networking resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Continuous scanning of hosted GitLab instances​

Running your own private GitLab instance? No problem. Now Mondoo can continuously scan your private GitLab instances, automatically discovering sub-groups, projects, and even IaC code in projects.

New and expanded Azure/MS365 resources​

New resources and fields expand the ability to secure and inventory your Microsoft cloud assets with Mondoo. We've exposed critical networking information in Azure as well as service principal and enterprise application data in Azure AD (now Microsoft Entra ID), giving you the data you need for custom security policies or compliance audits.

New Resources​

  • azure.subscription.networkService.appSecurityGroup: Azure Network Application Security Group
  • azure.subscription.networkService.backendAddressPool: Azure Network Backend Address Pool
  • azure.subscription.networkService.bgpSettings: Azure Network BGP Settings
  • azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress: Azure BGP Settings IP Configuration
  • azure.subscription.networkService.firewall: Azure Network Firewall
  • azure.subscription.networkService.firewall.applicationRule: Azure Network Firewall Application Rule
  • azure.subscription.networkService.firewall.ipConfig: Azure Network Firewall IP Configuration
  • azure.subscription.networkService.firewall.natRule: Azure Network Firewall NAT Rule
  • azure.subscription.networkService.firewall.networkRule: Azure Network Firewall Network Rule
  • azure.subscription.networkService.firewallPolicy: Azure Network Firewall Policy
  • azure.subscription.networkService.frontendIpConfig: Azure Network Frontend IP Configuration
  • azure.subscription.networkService.inboundNatPool: Azure Network Inbound NAT Pool
  • azure.subscription.networkService.inboundNatRule: Azure Network Inbound NAT Rule
  • azure.subscription.networkService.loadBalancer: Azure Network Load Balancer
  • azure.subscription.networkService.loadBalancerRule: Azure Network Load Balancer Rule
  • azure.subscription.networkService.natGateway: Azure Network NAT gateway
  • azure.subscription.networkService.outboundRule: Azure Network Outbound Rule
  • azure.subscription.networkService.probe: Azure Network Probe
  • azure.subscription.networkService.subnet Azure Network Subnet
  • azure.subscription.networkService.virtualNetwork: Azure Network Virtual Network
  • azure.subscription.networkService.virtualNetworkGateway.connection: Azure Network Virtual Network Gateway Connection
  • azure.subscription.networkService.virtualNetworkGateway.ipConfig: Azure Network Virtual Network Gateway IP Configuration
  • azure.subscription.networkService.virtualNetworkGateway: Azure Network Virtual Network Gateway
  • microsoft.serviceprincipal.assignment: Microsoft Service Principal Assignment

New microsoft.serviceprincipal fields​

  • type: Service principal type
  • name: Service principal name
  • tags: Service principal tags
  • enabled: Whether users can sign into the service principal (application)
  • homepageUrl: Service principal homepage URL
  • termsOfServiceUrl: Service principal terms of service URL
  • replyUrls: Service principal reply URLs
  • assignmentRequired: Whether users or other apps must be assigned to this service principal before using it
  • visibleToUsers: Whether the service principal is visible to users
  • notes: Service principal notes
  • assignments: The list of assignments (users and groups) this service principal has


Expanded AWS resource fields​

We're back again this week with 25 new AWS resource fields, giving you the information you need to inventory and secure your assets:


  • vpcArn: The ARN of the VPC associated with the instance


  • availabilityZone: Availability zone where the file system exists if a specific AZ is defined
  • createdAt: Creation timestamp​

  • elasticsearchVersion: The version of Elasticsearch running
  • domainId: The Elasticsearch domain ID
  • domainName: The Elasticsearch domain name


  • createdAt: Creation date of the secret
  • description: Description of the secret
  • lastChangedDate: The last date the secret was changed
  • lastRotatedDate: The last date the secret was automatically rotated
  • nextRotationDate: The date of the next secret rotation
  • primaryRegion: The primary region of the secret
  • rotationEnabled: Whether rotation is enabled for the secret


  • availabilityZone: Availability zone where the cluster exists
  • clusterRevisionNumber: Specific revision number of the database in the cluster
  • clusterStatus: Current state of this cluster. Values: available, creating, deleting, rebooting, renaming, and resizing
  • clusterSubnetGroupName: Name of the subnet group that is associated with the cluster
  • clusterVersion: Version of the Redshift engine running on the cluster
  • createdAt: Cluster creation timestamp
  • dbName: Name of the initial database that was created when the cluster was created
  • enhancedVpcRouting: Whether enhanced VPC routing is enabled for the cluster traffic
  • masterUsername: Master user name for the cluster
  • nextMaintenanceWindowStartTime: The next scheduled maintenance window
  • numberOfNodes: The number of nodes in the cluster
  • vpcId: The ID of the VPC where the cluster is running

Discover all resources related to a given Terraform resource.

For example, given the following Terraform snippet:

resource "aws_iam_role" "dev-resources-iam-role" {
name = "SSM-role-${}-${random_string.suffix.result}"
# ...

resource "aws_iam_instance_profile" "dev-resources-iam-profile" {
name = "ec2_ssm_profile-${}-${random_string.suffix.result}"
role =
# ...

Using this MQL:

terraform.resources {
related {

We get:

terraform.resources: [
0: {
nameLabel: "aws_iam_instance_profile"
related: [
0: {
nameLabel: "aws_iam_role"
1: {
nameLabel: "aws_iam_role"
related: [
0: {
nameLabel: "aws_iam_instance_profile"

Improved results pagination​

The larger your infrastructure, the larger the results of your security scans. Now it's easier to navigate those large results no matter where you are in the Mondoo Console. We've reworked our results pagination to make it more consistent and to allow you show more results per page when you need to view those extra large data sets.

Asset pagination

Expanded openSUSE Linux CVE data​

Mondoo now includes data on CVEs in openSUSE Linux 15.2 through the latest 15.6 pre-releases.


  • Fix links from "Top Recommended Actions" on asset pages to go directly to check pages.
  • Update multi-selection in CI/CD pages to match the updated design throughout the console.
  • Fix inconsistent table header cell padding in the Compliance Hub pages.
  • Improve rendering of the organization dashboards to prevent lines covering text.
  • Fix asset name detection in cloud instances.
  • Fix provider auto update CLI flag failures.
  • Fix CIS Kubernetes policies to properly apply to kubelets.
  • Fix CIS iptables checks to work with iptables >= 1.8.9 format.
  • Fix failures running Kubernetes Cluster and Workload Security's "Pods should not run Kubernetes dashboard" query.
  • Improve wording in the cnspec scan --help command and don't print duplicate providers.
  • Fix failures running the resource.
  • Fix dns.fqdn not returning an FQDN when scanning the system via SSH or Vagrant.
  • Avoid adding nil Terraform blocks when fetching related blocks.
  • Fix errors fetching processes that would be printed on the command line.
  • Fix cnspec scan to run a local scan like cnspec < 9.0.
  • Provide a friendly error message when scanning unsupported Kubernetes API releases.
  • Fix asset overview only showing the first available AWS tag.
  • Add back missing Scan Overview section in the asset overview.
  • Make sure AWS-specific information displays on the asset overview page for scanned instances.
  • Improve the reliability of CIS sudo-related checks.
  • Fix failures running the CIS Ensure default user umask is configured and Ensure default user umask is 027 or more restrictive checks on some distributions.
  • Don't show the button to upload new policies or query packs if the user only has viewer privileges in the space.
  • Add back the Audit section in asset check pages.