{"id":13533534,"url":"https://github.com/mondoohq/cnspec","last_synced_at":"2026-06-05T07:01:45.132Z","repository":{"id":61408479,"uuid":"539385775","full_name":"mondoohq/cnspec","owner":"mondoohq","description":"An open source, cloud-native security to protect everything from build to runtime","archived":false,"fork":false,"pushed_at":"2026-06-05T00:25:24.000Z","size":79415,"stargazers_count":433,"open_issues_count":121,"forks_count":35,"subscribers_count":12,"default_branch":"main","last_synced_at":"2026-06-05T01:11:45.910Z","etag":null,"topics":["cloud-native","compliance","declarative","kubernetes","opensource","policy","policy-as-code","security","security-as-code"],"latest_commit_sha":null,"homepage":"https://cnspec.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mondoohq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-21T08:34:41.000Z","updated_at":"2026-06-04T14:49:27.000Z","dependencies_parsed_at":"2026-05-05T10:02:26.488Z","dependency_job_id":null,"html_url":"https://github.com/mondoohq/cnspec","commit_stats":{"total_commits":449,"total_committers":18,"mean_commits":"24.944444444444443","dds":"0.47438752783964366","last_synced_commit":"fe9325b9269169338f0771b59ec535b4716b3c6c"},"previous_names":[],"tags_count":390,"template":false,"template_full_name":null,"purl":"pkg:github/mondoohq/cnspec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mondoohq%2Fcnspec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mondoohq%2Fcnspec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mondoohq%2Fcnspec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mondoohq%2Fcnspec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mondoohq","download_url":"https://codeload.github.com/mondoohq/cnspec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mondoohq%2Fcnspec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33932048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-05T02:00:06.157Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","compliance","declarative","kubernetes","opensource","policy","policy-as-code","security","security-as-code"],"created_at":"2024-08-01T07:01:20.738Z","updated_at":"2026-06-05T07:01:45.125Z","avatar_url":"https://github.com/mondoohq.png","language":"Go","funding_links":[],"categories":["Policy as code","Go"],"sub_categories":[],"readme":"# cnspec\n\n![cnspec light-mode logo](.github/images/cnspec-light.svg#gh-light-mode-only)\n![cnspec dark-mode logo](.github/images/cnspec-dark.svg#gh-dark-mode-only)\n\n**Open source, cloud-native security and policy project**\n\ncnspec assesses your entire infrastructure's security and compliance. It finds vulnerabilities and misconfigurations across public and private cloud environments, Kubernetes clusters, containers, container registries, servers, endpoints, SaaS products, infrastructure as code, APIs, and more.\n\nA powerful policy as code engine, cnspec is built upon Mondoo's security data fabric. It comes configured with default security policies that run right out of the box. It's both fast and simple to use!\n\n### Quick start\n\n```bash\nbash -c \"$(curl -sSL https://install.mondoo.com/sh)\"\ncnspec scan local\n```\n\n![cnspec scan example](.github/images/cnspec-scan.gif)\n\n## Installation\n\nInstall cnspec with our installation script:\n\n**Linux and macOS**\n\n```bash\nbash -c \"$(curl -sSL https://install.mondoo.com/sh)\"\n```\n\n**Windows**\n\n```powershell\nSet-ExecutionPolicy Unrestricted -Scope Process -Force;\n[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;\niex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));\nInstall-Mondoo;\n```\n\nIf you prefer manual installation, you can find the cnspec packages in our [releases](https://github.com/mondoohq/cnspec/releases).\n\n## Run a scan with policies\n\nUse the `cnspec scan` subcommand to check local and remote targets for misconfigurations and vulnerabilities.\n\n### Local scan\n\nThis command evaluates the security of your local machine:\n\n```bash\ncnspec scan local\n```\n\n### Remote scan targets\n\nYou can also specify [remote targets](#supported-targets) to scan. For example:\n\n```bash\n# to scan a docker image:\ncnspec scan docker image ubuntu:22.04\n\n# scan public ECR registry\naws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/r6z5b8t4\ncnspec scan docker image public.ecr.aws/r6z5b8t4\n\n# to scan an AWS account using the local AWS CLI config\ncnspec scan aws\n\n# scan an EC2 instance with EC2 Instance Connect\ncnspec scan aws ec2 instance-connect root@i-1234567890abcdef0\n\n# to scan a Kubernetes cluster via your local kubectl config or a local manifest file\ncnspec scan k8s\ncnspec scan k8s manifest.yaml\n\n# to scan a GitHub repository\nexport GITHUB_TOKEN=\u003cpersonal_access_token\u003e\ncnspec scan github repo \u003corg/repo\u003e\n```\n\n[:books: To learn more, read the cnspec docs.](https://mondoo.com/docs/cnspec)\n\n### Policies\n\ncnspec policies are built on the concept of policy as code. cnspec comes with default security policies configured for all supported targets. The default policies are available in the `content` directory of this repository.\n\n## Vulnerability scan\n\ncnspec scans for vulnerabilities in a wide range of platforms. Vulnerability scanning is not restricted to container images; it works for build and runtime as well.\n\n![cnspec vulnerability scan example](.github/images/cnspec-vuln.gif)\n\nNOTE: Vulnerability scanning requires the client to be logged into Mondoo Platform.\n\n### Examples\n\n```bash\n# scan container image\ncnspec vuln docker debian:12\n\n# scan aws instance via EC2 instance connect\ncnspec vuln aws ec2 instance-connect root@i-1234567890abcdef0\n\n# scan instance via SSH\ncnspec vuln ssh user@host\n\n# scan windows via SSH or Winrm\ncnspec vuln ssh user@host --ask-pass\ncnspec vuln winrm user@host --ask-pass\n\n# scan VMware vSphere ESXi hosts\ncnspec vuln vsphere user@host --ask-pass\n\n# scan Linux, Windows\ncnspec vuln local\n```\n\n| Platform | Versions |\n| ------------------------ | ------------------------------ |\n| Alpine | 3.10 - 3.23 |\n| AlmaLinux | 8, 9, 10 |\n| Amazon Linux | 1, 2, 2023 |\n| Arch Linux | Rolling |\n| CentOS | 6, 7, 8, Stream |\n| Debian | 8, 9, 10, 11, 12, 13 |\n| Fedora | 30 - 43 |\n| openSUSE | Leap 15, Leap 16 |\n| Oracle Linux | 6, 7, 8, 9, 10 |\n| Photon Linux | 2, 3, 4, 5 |\n| Red Hat Enterprise Linux | 6, 7, 8, 9, 10 |\n| Rocky Linux | 8, 9, 10 |\n| SUSE Linux Enterprise | 12, 15, 16 |\n| Ubuntu | 18.04, 20.04, 22.04, 24.04 |\n| VMware vSphere ESXi | 6, 7, 8 |\n| Windows | 10, 11, 2016, 2019, 2022, 2025 |\n\n## cnspec interactive shell\n\ncnspec also provides an interactive shell to explore assertions. It helps you understand the assertions that security policies use, as well as write your own policies. It's also a great way to interact with both local and remote targets on the fly.\n\n### Local system shell\n\n```bash\ncnspec shell local\n```\n\nThe shell provides a `help` command for information on the resources that power cnspec. Running `help` without any arguments lists all of the available resources and their fields. You can also run `help \u003cresource\u003e` to get more detail on a specific resource. For example:\n\n```bash\ncnspec\u003e help ports\nports: TCP/IP ports on the system\n list []port: List of all TCP/IP ports\n listening []port: All listening ports\n```\n\nThe shell uses auto-complete, which makes it easy to explore.\n\nOnce inside the shell, you can enter MQL assertions like this:\n\n```coffeescript\n\u003e ports.listening.none( port == 23 )\n```\n\nTo clear the terminal, type `clear`.\n\nTo exit, either hit CTRL + D or type `exit`.\n\n## Prioritize risks that matter with Mondoo Platform\n\nThe Mondoo unified security platform finds and prioritizes vulnerabilities and misconfigurations that pose the highest risk to your business. Mondoo's security data fabric analyzes the threat and exposure of every finding within the unique context of your infrastructure. Instead of a flood of irrelevant security alerts, Mondoo shows you how you can make an immediate and significant impact on your security posture.\n\nTo get started, [contact us](https://mondoo.com/contact).\n\nTo learn about Mondoo Platform, read the [Mondoo Platform docs](https://mondoo.com/docs/) or visit [mondoo.com](https://mondoo.com).\n\n### Register cnspec with Mondoo Platform\n\nTo use cnspec with Mondoo Platform, [generate a token in the Mondoo App](https://mondoo.com/docs/cnspec/cnspec-platform/), then run:\n\n```bash\ncnspec login --token TOKEN\n```\n\nOnce authenticated, you can scan any target:\n\n```bash\ncnspec scan \u003ctarget\u003e\n```\n\ncnspec returns the results from the scan to `STDOUT` and to Mondoo Platform.\n\nWith an account on Mondoo Platform, you can upload policies:\n\n```bash\ncnspec bundle upload mypolicy.mql.yaml\n```\n\n## Custom policies\n\nA cnspec policy is simply a YAML file that lets you express any security rule or best practice for your fleet.\n\nA few examples can be found in the `examples` folder in this repo. You can run any of these policies:\n\n```bash\ncnspec scan local -f examples/example.mql.yaml\n```\n\nIf you're interested in writing your own policies or contributing policies back to the cnspec community, read Mondoo's [Policy Authoring Guide](https://mondoo.com/docs/cnspec/write-policies/write-intro/).\n\n## Supported targets\n\n| Target | Provider | Example |\n| ----------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Ansible playbooks | `ansible` | `cnspec shell ansible YOUR_PLAYBOOK.yml` |\n| Arista network devices | `arista` | `cnspec scan arista DEVICE_PUBLIC_IP --ask-pass` |\n| Atlassian organizations | `atlassian` | `cnspec shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN` |\n| AWS accounts | `aws` | `cnspec scan aws` |\n| AWS CloudFormation templates | `cloudformation` | `cnspec scan cloudformation cloudformation_file.json` |\n| AWS EC2 EBS snapshot | `aws ec2 ebs snapshot` | `cnspec scan aws ec2 ebs snapshot SNAPSHOTID` |\n| AWS EC2 EBS volume | `aws ec2 ebs volume` | `cnspec scan aws ec2 ebs volume VOLUMEID` |\n| AWS EC2 Instance Connect | `aws ec2 instance-connect` | `cnspec scan aws ec2 instance-connect ec2-user@INSTANCEID` |\n| AWS EC2 instances | `ssh` | `cnspec scan ssh user@host` |\n| Confluence users | `atlassian` | `cnspec shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN` |\n| Container images | `container`, `docker` | `cnspec scan container ubuntu:latest` |\n| Container registries | `container registry` | `cnspec scan container registry index.docker.io/library/rockylinux:8` |\n| DNS records | `host` | `cnspec scan host mondoo.com` |\n| Dockerfiles | `docker` | `cnspec shell docker file FILENAME` |\n| GitHub organizations | `github org` | `cnspec scan github org mondoohq` |\n| GitHub repositories | `github repo` | `cnspec scan github repo mondoohq/cnspec` |\n| GitLab groups | `gitlab` | `cnspec scan gitlab --group mondoohq` |\n| Google Cloud projects | `gcp` | `cnspec scan gcp` |\n| Google Workspace | `google-workspace` | `cnspec scan google-workspace --customer-id CUSTOMER_ID --impersonated-user-email EMAIL --credentials-path JSON_FILE` |\n| IoT devices | `opcua` | `cnspec shell opcua` |\n| Jira projects | `atlassian` | `cnspec shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN` |\n| Juniper Junos devices | `junos` | `cnspec scan junos --hostname DEVICE_IP --username USER_NAME --identity-file SSH_IDENTITY_FILE` |\n| Kubernetes cluster nodes | `local`, `ssh` | `cnspec scan ssh user@host` |\n| Kubernetes clusters | `k8s` | `cnspec scan k8s` |\n| Kubernetes manifests | `k8s` | `cnspec scan k8s manifest.yaml` |\n| Kubernetes workloads | `k8s` | `cnspec scan k8s --discover pods,deployments` |\n| Linux hosts | `local`, `ssh` | `cnspec scan local` or\u003cbr\u003e\u003c/br\u003e`cnspec scan ssh user@host` |\n| macOS hosts | `local`, `ssh` | `cnspec scan local` or\u003cbr\u003e\u003c/br\u003e`cnspec scan ssh user@IP_ADDRESS` |\n| Microsoft 365 tenants | `ms365` | `cnspec scan ms365 --tenant-id TENANT_ID --client-id CLIENT_ID --certificate-path PFX_FILE` |\n| Microsoft Azure instances | `ssh` | `cnspec scan ssh user@host` |\n| Microsoft Azure subscriptions | `azure` | `cnspec scan azure --subscription SUBSCRIPTION_ID` |\n| Okta org | `okta` | `cnspec scan okta --token TOKEN --organization ORGANIZATION` |\n| Oracle Cloud Interface (OCI) | `oci` | `cnspec scan oci` |\n| Running containers | `docker` | `cnspec scan docker CONTAINER_ID` |\n| Shodan search engine | `shodan` | `cnspec shell shodan` |\n| Slack team | `slack` | `cnspec scan slack --token TOKEN` |\n| SSL certificates on websites | `host` | `cnspec scan host mondoo.com` |\n| Terraform HCL | `terraform` | `cnspec scan terraform HCL_FILE_OR_PATH` |\n| Terraform plan | `terraform plan` | `cnspec scan terraform plan plan.json` |\n| Terraform state | `terraform state` | `cnspec scan terraform state state.json` |\n| Vagrant virtual machines | `vagrant` | `cnspec scan vagrant HOST` |\n| VMware Cloud Director | `vcd` | `cnspec shell vcd user@domain@host --ask-pass` |\n| VMware vSphere | `vsphere` | `cnspec scan vsphere user@domain@host --ask-pass` |\n| Windows hosts | `local`, `ssh`, `winrm` | `cnspec scan local`,\u003cbr\u003e\u003c/br\u003e`cnspec scan ssh Administrator@IP_ADDRESS --ask-pass` or\u003cbr\u003e\u003c/br\u003e`cnspec scan winrm Administrator@IP_ADDRESS --ask-pass` |\n\n## Agent skills\n\ncnspec includes agent skills that give coding agents MQL expertise and policy navigation capabilities. Skills work across Claude Code, Cursor, Gemini CLI, and Codex.\n\n| Skill | Description |\n|-------|-------------|\n| [mql](skills/mql/) | MQL query development with syntax guidance, platform-specific patterns, and schema discovery |\n| [policy-graph](skills/policy-graph/) | Navigate policy bundles using graph commands — search, trace compliance mappings, explore structure |\n\nSee [skills/README.md](skills/README.md) for installation instructions and details.\n\n## What's next?\n\nThere are so many things cnspec can do, from testing your entire fleet for vulnerabilities to gathering information and creating reports for auditors. With its custom policies, cnspec can scan any component you care about!\n\nExplore our:\n\n- [cnspec docs](https://mondoo.com/docs/cnspec/)\n- [Policy as code](https://mondoo.com/docs/cnspec/write-policies/write-intro/)\n- [MQL](https://github.com/mondoohq/mql), our open source, cloud-native asset inventory framework\n- [MQL introduction](https://mondoohq.github.io/mql-intro/index.html)\n- [MQL resource packs](https://mondoo.com/docs/mql/resources/)\n- [HashiCorp Packer plugin](https://github.com/mondoohq/packer-plugin-mondoo) to integrate cnspec with HashiCorp Packer!\n\n## Join the community!\n\nOur goal is to secure all layers of your infrastructure. If you need support or want to get involved with the development of cnspec, join our [community](https://github.com/orgs/mondoohq/discussions) today and let's grow it together!\n\n## Development\n\nSee our [development documentation](docs/development.md) for information on building and contributing to cnspec.\n\n## Legal\n\n- **Copyright:** 2018-2026, Mondoo, Inc.\n- **License:** BUSL 1.1\n- **Authors:** Christoph Hartmann, Dominik Richter\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmondoohq%2Fcnspec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmondoohq%2Fcnspec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmondoohq%2Fcnspec/lists"}