Find everything with full-text search
We expanded our search from just assets to absolutely everything. Now you can find spaces, assets, checks, CVEs, and vendor advisories with a simple, text-only search.
Examples:
- Search for the Google Cloud project ID
luna-discoveryto see not only the project asset itself but also storage buckets with that project ID and a Terraform file with the nameluna-discovery-backend. - Search for
stella@lunalectric.comto see all assets in a space that contain Stella's email in any resource field. - Search for
RDSacross an entire organization to find all RDS assets in all spaces in the organization plus all RDS-related checks in policies.
AWS got a lot of love this month!
We love when our customers tell us exactly what they want. This month, much of our customer-requested additions centered on AWS. From the smallest resource addition to the positively game-changing ability to perform agentless continuous scanning, we're excited to ship these new capabilities for our customers.
Introducing Mondoo-hosted continuous AWS scanning
For over three years, Mondoo's Lambda-based scanning agent has provided our customers with continuously updated AWS configuration and security data they can trust. But some of our customers wanted agentless AWS scanning similar to what we provide for other cloud platforms. We listened and we delivered!
You now have a choice for continuous AWS scanning: the tried-and-true serverless integration or new Mondoo-hosted scanning. Each has its benefits; you choose based on the specific needs of your business and environment.
Scan Fedora AWS instance snapshots
You can now scan Fedora workloads in AWS without deploying the Mondoo package. New snapshot scanning support for Fedora instances makes this possible.
Catch it before it's live: Scan CloudFormation templates
We didn't limit our AWS improvements to production environments; we also added CloudFormation template scanning so you can catch misconfigurations before they reach production.
We now provide security assessments for JSON- and YAML-formatted CloudFormation templates and Serverless Application Model (SAM) templates.
Cancel running serverless AWS scans
We're all about giving you the control you need over your environments. You can now cancel all running AWS instance scans for your organization or account directly from the integration page with a new Cancel Scans option on the ellipsis menu.
Learn a lot more about your AWS integration
If knowledge is power then we're supercharging your AWS security. We've overhauled the AWS integration management experience, laying out the current configuration, potential scanning errors, and discovered assets.
And here's a bonus: You can now name your new or existing integrations with more human-friendly titles—because no one should have to memorize 12-digit Amazon account IDs!
Explore these new AWS resources and fields
We topped off our AWS feature additions with some new resources and resource fields to expand your understanding of your AWS infrastructure.
GitHub got plenty of attention too
Not all our focus went to AWS in May! We also worked hard expanding our GitHub capabilities so that you can improve security in your development process.
Scan entire GitHub organizations
Adding a new Mondoo GitHub integration every time you create a new repository felt like extra work. So we added support for scanning GitHub organizations, which includes automatically scanning new repositories as you create them.
Need more control over which repositories to scan? Specify individual repositories to include or exclude.
Automatically discover Terraform plans in repositories
Infrastructure as code (IaC) can live anywhere. With automatic Terraform plan file discovery in GitHub repositories, you'll never miss a plan in GitHub. Scan your entire organization and let Mondoo do the heavy lifting: It automatically finds and scans each file.
cnspec scan github organization MY_ORG --discover repository,terraformGitHub-app-based authentication
Do you want to scan your GitHub organizations and repositories without using GitHub API tokens? Now cnspec can access your source using GitHub application authentication.
cnspec scan github org MY_ORG --app-id MY_APP_ID --app-installation-id MY_APP_INSTALL_ID --app-private-key PATH_TO_PEM_FILENew and improved policies
Our security engineers knocked it out of the park this month with loads of new policies!
New CIS Kubernetes policies
Mondoo now includes the latest CIS Kubernetes benchmark policies for self-managed Kubernetes clusters, EKS, AKS, and GKE. These policies include the latest CIS recommendations as well as all-new queries for improved output so you can remediate issues more quickly.
New CIS Debian 12 benchmark policies
Secure Debian 12 systems with new CIS Debian Linux 12 Benchmark Levels 1 & 2 policies. These policies include 284 checks specifically tuned for this latest release of Debian.
Updated Windows and Linux CIS benchmark policies
Scan your infrastructure with the very latest CIS benchmark policies for Linux and Windows. These updated policies include improved descriptions, remediation steps, and new checks to keep your systems secure against the latest threats.
- CIS Benchmark RHEL 7 v4.0.0
- CIS Benchmark CentOS 7 v4.0.0
- CIS Benchmark Oracle Linux 7 v4.0.0
- CIS Benchmark Amazon Linux 2 v3.0.0
- CIS Benchmark Windows 2019 v3.0.0
- CIS Benchmark Windows 2022 v3.0.0
Improved control of SSH policy application
Tune Mondoo's SSH security checks to meet your particular business needs with new reworked SSH checks that include properties. With properties, you can set your allowed SSH key exchange algorithms, ciphers, and message authentication codes (MACs) without the need to write your own checks.
Improved container policy application
From SSH configuration to interactive user permissions, many traditional security checks aren't applicable in a container world. To reduce noise and help you prioritize what matters, CIS benchmarks no longer apply to container workloads. Instead, we've modified our existing Mondoo Linux Security policy to better execute on containers. We highly recommend enabling this policy to scan your containerized workloads.
Prioritize CVEs based on clearer information
The more you understand about the risk that CVEs present to your organization, the better you can prioritize the work of fixing them. With that in mind, we enhanced our CVE experience.
Get more risk information at a glance
Better understand the true risk that a CVE presents—even at a glance. The new risk score box on CVE pages includes the overall risk of the CVE as well as the CVSS score, EPSS score, risk factors, and blast radius so you can quickly understand whether a CVE needs attention.
Count individual risk factors for CVEs and advisories
CVE and advisory pages now include the count of individual risk factors, so you can better understand the distribution of risk throughout your infrastructure.
Expanded platform support
Our reach just keeps growing! We expanded our platform support in May.
Fedora 41 CVE detection
The Fedora 41 development process has just begun. But if you're on the bleeding edge, Mondoo has your back with EOL and CVE detection support for this upcoming Fedora release.
Alpine Linux 3.20
Keep your container applications secure with EOL and CVE detection support for Alpine Linux 3.20
Improved Arista EOS support
We've made securing Arista EOS devices easier:
- Find your devices quickly with grouping under Network Devices in the inventory list
- Understand what you're seeing with FQDN and model number information on the asset overview
- Explore system configuration with improved resource default values in cnquery shell
More resource improvements
Our May resource additions weren't exclusive to AWS. Here are more enhancements we made:
