cnspec Provisioner

Type: cnspec

Packer plugin cnspec by Mondoo scans Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack.

Basic Example

provisioner "cnspec" {
  on_failure          = "continue"
  score_threshold     = 85
  sudo {
    active = true
  }
}

Configuration Reference

Optional Parameters:

host_alias (string) - The alias by which the host should be known. Defaults to default.
user (string) - The user set for your communicator. Defaults to the user set by packer.
local_port (uint) - The port on which to attempt to listen for SSH connections. This value is a starting point. The provisioner will attempt listen for SSH connections on the first available of ten ports, starting at local_port. A system-chosen port is used when local_port is missing or empty.
ssh_host_key_file (string) - The SSH key that will be used to run the SSH server on the host machine to forward commands to the target machine. packer connects to this server and will validate the identity of the server using the system known_hosts. The default behavior is to generate and use a onetime key.
ssh_authorized_key_file (string) - The SSH public key of the packer ssh_user. The default behavior is to generate and use a onetime key.
use_sftp (bool) - packer's SFTP proxy is not reliable on some unix/linux systems, therefore we recommend to use scp as default for packer proxy
debug (bool) - Sets the log level to DEBUG
asset_name (string) - The asset name passed to Mondoo Platform. Defaults to the hostname of the instance.
on_failure (string) - Configure behavior whether packer should fail if scan_threshold is not met. If scan_threshold configuration is omitted, the threshold is set to 0 and builds will pass regardless of what score is returned. If score_threshold is set to a value, and on_failure = "continue" builds will continue regardless of what score is returned.
labels (map[string]string) - Configure an optional map of labels for the asset data in Mondoo Platform.
annotations (map[string]string) - Configure an optional map of key/val annotations for the asset data in Mondoo Platform.
incognito (bool) - Configures incognito mode. Defaults to true. When set to false, scan results will not be sent to the Mondoo platform.
policies ([]string) - A list of policies to be executed (requires incognito mode).
policybundle (string) - A path to local policy bundle file.
sudo (*SudoConfig) - Run mondoo scan with --sudo. Defaults to none.
winrm_user (string) - Configure WinRM user. Defaults to user set by the packer communicator.
winrm_password (string) - Configure WinRM user password. Defaults to password set by the packer communicator.
use_proxy (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy for cases where the provisioner cannot access the target directly NOTE: we have seen cases with the vsphere builder
output (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")
score_threshold (int) - An integer value to set the score_threshold of mondoo scans. Defaults to 0 which results in a passing score regardless of what scan results are returned.
mondoo_config_path (string) - The path to the mondoo client config. Defaults to $HOME/.config/mondoo/mondoo.yml

SudoConfig

active (bool) - Active

Get Started with cnspec

If you are new to cnspec, check out Get started with cnspec.

Packer plugin cnspec tutorial

Check out the Packer tutorials on the Mondoo documentation site:

Sample Packer Templates

You can find example Packer templates in the examples directory in this repository.