cnspec-policies (ARCHIVED)

⚠️ This repository has been archived as of June 6, 2025.

The cnquery query packs have been moved to the main cnspec repository: https://github.com/mondoohq/cnspec/tree/main/content

This project contains security and operational best-practice policies (as code) for use with cnspec.

We've organized them into these directories:

• core - Core policies contain baseline security and operational best-practice checks for various scan targets. Core policies are maintained by Mondoo and have strict quality requirements.
• extra - Extra policies are a mix of community- and Mondoo-maintained policy bundles that are outside Mondoo's core support tier.
• community - Community policies are primarily maintained by the community with the support of the Mondoo team. Community policies may move to extra or core over time.

The latest version of the policies in this repository requires cnspec v8+

Run policies

cnspec scan {TARGET} -f core/{POLICY_NAME}.mql.yaml

Examples:

# Linux
cnspec scan local -f core/mondoo-linux-security.mql.yaml

# macOS
cnspec scan local -f core/mondoo-macos-security.mql.yaml

# Windows
cnspec scan local -f core/mondoo-windows-security.mql.yaml

With the Open Security Registry

cnspec scan {TARGET} --policy mondoohq/{POLICY_UID}

Examples:

# Linux
cnspec scan local --policy mondoohq/mondoo-linux-security

# macOS
cnspec scan local --policy mondoohq/mondoo-macos-security

# Windows
cnspec scan local --policy mondoohq/mondoo-windows-security

Join the community!

Join the Mondoo Community GitHub Discussions to collaborate on policy as code and security automation.

Additional policies

Additional certified security and compliance policies can be found in the Policy Hub on Mondoo Platform. Sign up for a free account to view the list of policies available.

License

Business Source License 1.1