Packer
Mondoo
@mondoohq
Scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations.
- Partner
Updated 11 months ago
- GitHub(opens in new tab)
Mondoo
Type: mondoo
This plugin has been deprecated. Migrate to Packer plugin cnspec by Mondoo for even easier security scanning of your Packer builds.
The mondoo
provisioner scans Packer builds for vulnerabilities and misconfigurations by executing security
policies-as-code enabled in Mondoo Platform. Mondoo Platform comes stocked with an ever-increasing collection of
certified security policies which can be easily customize to meet your needs.
Mondoo supports scanning of Linux, Windows, and macOS, as well as Docker containers.
Basic Example
provisioner "mondoo" {
on_failure = "continue"
mondoo_config_path = "/etc/mondoo-config.json"
score_threshold = 85
asset_name = "example-secure-base-image"
sudo {
active = true
}
annotations = {
Source_AMI = "{{ .SourceAMI }}"
Creation_Date = "{{ .SourceAMICreationDate }}"
}
}
}
Configuration Reference
Optional Parameters:
host_alias
(string) - The alias by which the host should be known. Defaults todefault
.user
(string) - Theuser
set for your communicator. Defaults to theuser
set by packer.local_port
(uint) - The port on which to attempt to listen for SSH connections. This value is a starting point. The provisioner will attempt listen for SSH connections on the first available of ten ports, starting atlocal_port
. A system-chosen port is used whenlocal_port
is missing or empty.ssh_host_key_file
(string) - The SSH key that will be used to run the SSH server on the host machine to forward commands to the target machine. packer connects to this server and will validate the identity of the server using the system known_hosts. The default behavior is to generate and use a onetime key.ssh_authorized_key_file
(string) - The SSH public key of the packerssh_user
. The default behavior is to generate and use a onetime key.use_sftp
(bool) - packer's SFTP proxy is not reliable on some unix/linux systems, therefore we recommend to use scp as default for packer proxydebug
(bool) - Sets the log level toDEBUG
asset_name
(string) - The asset name passed to Mondoo Platform. Defaults to the hostname of the instance.on_failure
(string) - Configure behavior whether packer should fail ifscan_threshold
is not met. Ifscan_threshold
configuration is omitted, the threshold is set to0
and builds will pass regardless of what score is returned. Ifscore_threshold
is set to a value, andon_failure = "continue"
builds will continue regardless of what score is returned.labels
(map[string]string) - Configure an optional map ofkey/val
labels for the asset in Mondoo Platform.annotations
(map[string]string) - Configure an optional map ofkey/val
annotations for the asset in Mondoo Platform.incognito
(bool) - Configures incognito mode. By default it detects if a Mondoo service account is available. When set to false, scan results will not be sent to Mondoo Platform.policies
([]string) - A list of policies to be executed (will automatically activate incognito mode).policybundle
(string) - A path to local policy bundle file.sudo
(*SudoConfig) - Runs scan with--sudo
. Defaults to none.winrm_user
(string) - Configure WinRM user. Defaults touser
set by the packer communicator.winrm_password
(string) - Configure WinRM user password. Defaults topassword
set by the packer communicator.use_proxy
(bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy for cases where the provisioner cannot access the target directlyoutput
(string) - Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")output_target
(string) - Set output target. E.g. path to local filescore_threshold
(int) - An integer value to set thescore_threshold
of mondoo scans. Defaults to0
which results in a passing score regardless of what scan results are returned.mondoo_config_path
(string) - The path to the Mondoo's service account. Defaults to$HOME/.config/mondoo/mondoo.yml
SudoConfig
active
(bool) - Active
Get Started with Mondoo
If you are new to Mondoo you can get started by signing up for a free account today!
Check out the Packer tutorials on the Mondoo documentation site:
- Building secure AMIs with Mondoo and Packer
- Building secure VM images in Google Cloud with cnspec and HashiCorp Packer
Sample Packer Templates
You can find example Packer templates in the examples directory in this repository.