cnspec

Security & Compliance intermediate

cnspec is Mondoo's open-source security and policy-as-code scanner that continuously checks infrastructure, cloud, containers, and Kubernetes against compliance policies and security benchmarks in CI/CD.

Summary

cnspec is an open-source security and compliance scanner from Mondoo. It evaluates infrastructure against policies expressed as code—security benchmarks, hardening guides, and compliance controls—and reports clear pass/fail results, which fits continuous checks in CI/CD pipelines.

What is cnspec?

cnspec applies policy-as-code across multiple layers: operating systems and VMs (for example CIS benchmarks), Docker runtimes, container images, and application dependencies. It can scan running systems, cloud accounts, and Kubernetes clusters, and integrates into build pipelines—including a Packer plugin that scans golden images during the build itself.

Built on the same engine as cnquery, cnspec turns discovery into enforcement: cnquery asks open questions, cnspec asserts that defined controls hold and flags drift over time. This makes it a practical instrument for automating the technical checks behind regulatory requirements—such as aspects of NIS2 or EU AI Act compliance—in CI/CD rather than leaving them as documentation. Mondoo was founded by the creator of InSpec, and cnspec continues that lineage of executable compliance.

Why is cnspec relevant?

  • Policy as code: Security and compliance controls become versioned, testable, and automatable
  • Continuous compliance: Pass/fail checks run in CI/CD and detect drift, not just point-in-time audits
  • Multi-layer coverage: OS, cloud, containers, images, and Kubernetes in one tool
  • Supports compliance work: Automates technical checks relevant to NIS2 and EU AI Act compliance in the delivery pipeline

Similar Solutions

Mondoo

Project collaboration for security and compliance with Mondoo. From vulnerability scanning to continuous compliance, we help teams implement automated security assessment across their infrastructure.

Discover more

For Security & SOC Teams

Security teams don’t protect organizations because they issue reports. They protect organizations because vulnerabilities are managed continuously. We work with security and SOC teams to strengthen processes, proactively address risks, and align with compliance requirements. We focus on actionable practices, not theory.

Discover more

Related Terms

Mondoo

Mondoo is a cloud-native security posture management platform that continuously assesses infrastructure, workloads, and software supply chains against security policies.

Discover more

cnquery

cnquery is Mondoo's open-source tool for querying the state of infrastructure—across operating systems, cloud, Kubernetes, and network devices—using the Mondoo Query Language (MQL) and exporting results as structured data.

Discover more

CVE (Common Vulnerabilities and Exposures)

CVE is a standardized system for identifying and naming publicly known cybersecurity vulnerabilities.

Discover more

CINC Auditor

CINC Auditor is a free, community-maintained distribution of InSpec for auditing infrastructure compliance without a commercial license.

Discover more

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us