Mondoo 2026: Policy-as-Code Infrastructure Security

Name: Mondoo
Availability: OnlineOnly

Mondoo is an infrastructure security and compliance platform that scans cloud environments, containers, Kubernetes clusters, operating systems, IaC templates, and SaaS applications for vulnerabilities and misconfigurations. The platform is built on two source-available tools: cnspec for security assertions and cnquery for infrastructure data exploration, both licensed under BUSL-1.1 and powered by MQL (Mondoo Query Language).

The scanning engines cover over 400 resource types across major cloud providers, container runtimes, operating systems, and developer platforms. The commercial Mondoo Platform adds dashboards, compliance reporting, remediation workflows, and historical tracking on top.

What is Mondoo?

Mondoo approaches infrastructure security as a data problem. cnquery lets you ask questions about your infrastructure (“What TLS versions are my servers running?”), and cnspec lets you assert policies against those answers (“All servers must use TLS 1.2 or higher”). Both tools use MQL, a purpose-built query language that reads like natural language but executes against live infrastructure.

This policy-as-code approach means security teams define rules once and enforce them everywhere: in CI/CD pipelines during builds, across cloud accounts in production, and on developer workstations locally.

cnspec (Security Scanner)

Source-available CLI that asserts security policies against infrastructure. Scans cloud APIs, containers, Kubernetes, OS configs, IaC templates, and SaaS platforms.

cnquery (Asset Explorer)

Source-available CLI for querying infrastructure data. Explore cloud resources, container configurations, OS settings, and more using MQL.

Mondoo Platform

Commercial dashboard with compliance reporting, historical tracking, team management, automated remediation, and integration with ticketing systems.

Key Features

Cloud Security Posture

Mondoo connects to AWS, Azure, GCP, and Microsoft 365 accounts to continuously scan for misconfigurations and vulnerabilities. The scanner checks IAM policies, network configurations, storage permissions, encryption settings, logging configurations, and hundreds of other cloud resource properties.

Scans run against live cloud APIs, so results reflect the current state of your infrastructure rather than stale snapshots. The platform maps findings to compliance frameworks automatically, showing which misconfigurations violate which standards.

Container and Kubernetes Security

Mondoo scans container images during CI/CD builds and Kubernetes clusters in production. For containers, it checks for known CVEs in packages, insecure base images, and misconfigured Dockerfiles. For Kubernetes, it evaluates cluster configuration, RBAC policies, pod security standards, and network policies.

The scanner integrates with container registries and can run as an admission controller in Kubernetes to block non-compliant workloads from deploying.

Infrastructure as Code Scanning

cnspec scans Terraform, Ansible, and CloudFormation templates before they reach production. Catching misconfigurations at the IaC stage prevents them from ever becoming live vulnerabilities. The scanner understands resource relationships within templates, so it can detect issues that depend on how resources interact.

Integration with HashiCorp Packer allows scanning machine images during the build process, extending security checks to the image pipeline.

CVE Detection

Mondoo’s vulnerability detection engine identifies CVEs across Linux, macOS, Windows, and AIX systems. Recent updates expanded coverage to Microsoft SQL Server, Office applications, and Microsoft 365 components. Each finding includes severity scoring, affected package details, and available fixes.

Compliance Frameworks

Built-in policy bundles cover CIS Benchmarks, NIST 800-53, ISO 27001, SOC 2, NIS2, PCI DSS, and HIPAA. The platform maps individual findings to specific framework controls, generating audit-ready evidence without manual mapping work.

Custom policies can be written in MQL for organization-specific requirements that go beyond standard frameworks.

Getting Started

Install cnspec — Download the CLI for your platform. Available via Homebrew (brew install mondoohq/mondoo/cnspec), package managers, or direct binary download.

Run your first scan — Execute cnspec scan local to assess your local machine against default security policies. Results appear immediately in the terminal.

Scan cloud infrastructure — Connect to your cloud provider with cnspec scan aws, cnspec scan azure, or cnspec scan gcp. The scanner uses your existing cloud credentials.

Add to CI/CD — Integrate cnspec into your build pipeline to scan IaC templates and container images before deployment. Block builds that fail security policies.

Platform Coverage

Category	Supported Technologies
Cloud	AWS, Azure, GCP, Microsoft 365
Containers	Docker, Podman, containerd, registries
Orchestration	Kubernetes, EKS, AKS, GKE
IaC	Terraform, Ansible, CloudFormation, Packer
Operating Systems	Linux, macOS, Windows, AIX
Developer Platforms	GitHub, GitLab
SaaS	Slack, Microsoft 365, Google Workspace

When to Use Mondoo

Mondoo fits teams that need a single tool for infrastructure security across multiple layers. Instead of running separate tools for cloud posture, container scanning, IaC analysis, and OS hardening, cnspec covers all of these with a unified policy language.

The source-available CLI is a practical choice for individual practitioners and small teams that want to start scanning without committing to a commercial platform. The commercial tier adds value for organizations that need compliance reporting, historical tracking, and centralized management across large environments.

Best for

DevSecOps teams that need unified infrastructure security across cloud, containers, Kubernetes, IaC, and endpoints. The source-available cnspec CLI provides a free starting point, while the commercial platform adds compliance reporting and centralized management for larger organizations.

For a broader view of IaC security strategy, see our cloud infrastructure security guide. For teams focused specifically on IaC scanning, tools like Checkov or KICS may be simpler. For container-only vulnerability scanning, Trivy or Grype are lighter alternatives. Mondoo’s strength is breadth: covering the full infrastructure stack with a single policy language.

Frequently Asked Questions

What is Mondoo?

Is Mondoo open source or commercial?

The core scanning tools, cnspec and cnquery, are source-available under the BUSL-1.1 license and free to use for non-commercial purposes. The Mondoo Platform adds a commercial layer with dashboards, team management, compliance reporting, automated remediation workflows, and historical tracking.

What does Mondoo scan?

Mondoo scans over 400 resource types across AWS, Azure, GCP, Kubernetes, Docker, Linux, macOS, Windows, AIX, Terraform, Ansible, CloudFormation, GitHub, GitLab, Microsoft 365, Slack, and more. Its CVE detection engine covers operating systems, applications, and cloud services.

How does Mondoo integrate into CI/CD pipelines?

cnspec runs as a CLI tool that fits into any CI/CD pipeline. It can scan IaC templates before deployment, container images during builds, and live infrastructure in production. Integrations exist for GitHub Actions, GitLab CI, Jenkins, and HashiCorp Packer.

How does Mondoo compare to Checkov or Trivy?

Checkov and Trivy focus on IaC scanning and container image scanning respectively. Mondoo covers a broader surface: IaC, containers, cloud APIs, operating systems, SaaS, and endpoints in a single platform with unified policy as code. The trade-off is that Mondoo’s full capabilities require the commercial platform.