Packer
Mondoo
@mondoohq
Scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations.
- Partner
Updated 9 months ago
- GitHub(opens in new tab)
Mondoo
Packer plugin cnspec by Mondoo scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack. cnspec supports scanning of Linux, Windows, and macOS, as well as Docker containers.
Packer plugin cnspec is designed to work in one of two modes:
- Unregistered - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the Linux Security by Mondoo policy on Linux builds, or the Windows Security by Mondoo policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run.
- Registered - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records.
Installation
To install this plugin, copy and paste this code into your Packer configuration, then run packer init
.
packer {
required_plugins {
cnspec = {
version = ">= 10.0.0"
source = "github.com/mondoohq/cnspec"
}
}
}
Alternatively, you can use packer plugins install
to manage installation of this plugin.
$ packer plugins install github.com/mondoohq/cnspec
Components
Provisioners
- cnspec - Packer plugin cnspec by Mondoo scans Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack.
- mondoo - The
mondoo
provisioner scans Packer builds for vulnerabilities and misconfigurations by executing security policies-as-code enabled in Mondoo Platform. Mondoo Platform comes stocked with an ever-increasing collection of certified security policies which can be easily customize to meet your needs.
Tutorials
Check out the Packer tutorials on the Mondoo documentation site: