HashiConf 2024 Now streaming live from Boston! Attend for free
Packer
Packer Integrations

You are viewing documentation for version 10.0.3. View latest version.

Mondoo

@mondoohq

Scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations.

  • Partner

Updated 10 months ago

Mondoo

Packer plugin cnspec by Mondoo scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack. cnspec supports scanning of Linux, Windows, and macOS, as well as Docker containers.

Packer plugin cnspec is designed to work in one of two modes:

  • Unregistered - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the Linux Security by Mondoo policy on Linux builds, or the Windows Security by Mondoo policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run.
  • Registered - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records.

Installation

To install this plugin, copy and paste this code into your Packer configuration, then run packer init.

packer {
  required_plugins {
    cnspec = {
      version = ">= 9.0.0"
      source  = "github.com/mondoohq/cnspec"
    }
  }
}

Alternatively, you can use packer plugins install to manage installation of this plugin.

$ packer plugins install github.com/mondoohq/cnspec

Components

Provisioners

  • cnspec - Packer plugin cnspec by Mondoo scans Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack.
  • mondoo - The mondoo provisioner scans Packer builds for vulnerabilities and misconfigurations by executing security policies-as-code enabled in Mondoo Platform. Mondoo Platform comes stocked with an ever-increasing collection of certified security policies which can be easily customize to meet your needs.

Tutorials

Check out the Packer tutorials on the Mondoo documentation site:

HCP Packer
Automate build management across your cloud providers
Try HCP Packer for free