Is Mondoo an alternative to InSpec?


Why Mondoo indead of InSpec?

For me, testing infrastructure started with RSpec and ServerSpec. Then the [DevSec project] ( project taught me how to use these tests as compliance tests as well. A short time later, the developers behind that project joined Chef Inc. and developed InSpec. A test and policy tool that we have been using intensively with our customers to this day.

So we were very excited when we heard that the team behind InSpec had started a new project. Their new project is called Mondoo and focuses on Policy-As-Code.

If you are not yet familiar with Mondoo, checkout the official "Getting Started Guide":

An experiment

As a long-term InSpec user, I am of course very interested in whether there is any overlap between InSpec and Mondoo in terms of functionality. In theory, could I move my InSpec-Test to Mondoo?

Mondoo should be able to test external systems via SSH. I want to find out!

No dependencies is an advantage

The big flaw in using InSpec is its dependency on Ruby. This is one of the features of Mondoo that makes me want to do this experiment the most. Mondoo is used as a single binary. No dependencies on programming languages ​​or the like. This of course makes installing this binary a lot easier.

Installing Mondoo

First, we need to install Mondoo on our workstation. Conveniently, the Mondoo team has created a simple installation script for their users:

All we have to run in our terminal is the following command:

1bash -c "$(curl -sSL"

Note that I have not created a Mondoo account here beforehand. I intend to use Mondoo without the associated online service.

Of course, I would recommend everyone to set up a Mondoo account in order to be able to access the full range of functions. This is especially useful if you want to use Mondoo for Policy-As-Code as well.

So why not create an account now? I wanted to try to get as close to the InSpec experience as possible.

Writing you own policy

For this experiment I want to write my own policy that tests my target system via SSH. The Mondoo docs explain this process very well:

I want to trigger a shell command on the target system that provides certain information in the stdout. I want to check this information automatically.

I decided to read out and check the version number of the target operating system. For me the target system is a RaspberryPi with Raspian 11. With the following command I get this information on the terminal (on the target system):

 1$ cat /etc/os-release
 3PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
 4NAME="Raspbian GNU/Linux"
 6VERSION="11 (bullseye)"

If the text Raspbian GNU / Linux 11 (bullseye) appears in the output of the command, this is a sign that everything is correct.

Mondoo gives us a great tool for that. With the query

1command('cat /etc/os-release').stdout == /11 (bullseye)/

Mondoo executes the command cat / etc / os-release on the target system and checks whether the regular expression11 (bullseye) appears in its output. If so, the query, aka our test, is successful.

If I incorporate the whole thing into a Mondo-Policy (my-policy.yaml), the result looks like this:

 2  - uid: os-check
 3    name: Check OS
 4    version: "1.0.0"
 5    specs:
 6      - asset_filter:
 7          query: == 'unix')
 8        data_queries:
 9          os-data-01:
11  - uid:  os-data-01
12    title: Check for OS version
13    query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
14    docs:
15      desc: |
16        Raspian should be installed in version 11        
17      audit: Run the `cat /etc/os-release` command and verify that Raspian version is 11
18      remediation: |
19        Install latest version of Raspian.        

For comparison, this is what the same test looks like with InSpec:

1describe command('cat /etc/os-release') do
2  its('stdout') { should match /11 \(bullseye\)/ }

Ausführen der Policy via SSH

All that is still missing is to execute the policy. I have replaced the username and the URL of my target system with USER and URL. You simply enter the data valid for your target system here:

1mondoo scan --incognito -t ssh://USER@URL ./my-policy.yml

The command runs in "incognito" mode. Mondoo does not connect to the Mondoo online service in this way.

The output shows us that the test was successful:

 1→ no configuration file provided
 2                        .-.
 3                        : :
 4,-.,-.,-. .--. ,-.,-. .-' : .--.  .--. ™
 5: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
 8x could not initialize credentials for upstream connection error="cannot configure client authentication: cannot load retrieved key: AuthKey must be a valid .p8 PEM file"
 9→ discover related assets for 1 asset(s)
10→ resolved assets resolved-assets=1
11→ execute policies
12→ enabled incognito mode
13→ establish connection to asset raspberrypi (unknown)
14→ run policies for asset asset=//
16███████████████████████████████████████████████████████████████████████████ 100% raspberrypi
18→ send all results asset=//
19→ generate report asset=//
20→ scan complete asset=//
26│  _   _                     │
27│ | | | |  Unrated 0/100     │
28│ | |_| |  100% complete     │
29│  \___/                     │
34Asset Policy 21S5VOX7Lt7FeOSeuDCBuA9mH7R
37■  U   Check OS
39Check OS
43│  _   _  │  Policy:  Check OS
44│ | | | | │  Version: 1.0.0
45│ | |_| | │  Mrn:     //
46│  \___/  │  Score:   0 (completion: 100%, via average score)
50no scored queries
52Data Queries:
54■ Title: Check for OS version
55  ID:    //
56  Query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
57  Result:
58    [ok] value: "PRETTY_NAME=\"Raspbian GNU/Linux 11 (bullseye)\"
59    NAME=\"Raspbian GNU/Linux\"
60    VERSION_ID=\"11\"
61    VERSION=\"11 (bullseye)\"
62    VERSION_CODENAME=bullseye
63    ID=raspbian
64    ID_LIKE=debian
65    HOME_URL=\"\"
66    SUPPORT_URL=\"\"
67    BUG_REPORT_URL=\"\"
68    "
74Asset Overview
76■  U   raspberrypi
78Aggregated Policy Overview


This experiment showed me that I could map my InSpec test with Mondoo. So if you don't want to operate two different tools, you could do all of it with Mondoo. The added value here is clearly that I can set up a Mondoo account and thus secure access to a large number of pre-written policies. This is reminiscent of Chief Compliance. A big advantage is that I only need the Mondoo binary and have no other dependencies. A disadvantage would be the larger amount of code I have to write to get the same result as InSpec.

I find Mondoo very exciting and will definitely keep an eye on it.

If you want to find out more about Mondoo, visit <>.

Go Back explore our courses

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us