Home

Awesome

Packer Plugin for Mondoo cnspec

packer-plugin-cnspec illustration

Packer Plugin cnspec by Mondoo scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo that is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack. cnspec supports scanning Linux, Windows, and macOS, as well as Docker containers.

Plugin modes

Packer Plugin cnspec is designed to work in one of two modes:

Tutorials

Check out the Packer tutorials on the Mondoo documentation site:

Install Packer plugin cnspec

You can install Packer Plugin cnspec using the packer init command, install it manually, or build it from source.

Install using the packer init command

As of version 1.7, Packer's packer init command allows automatic installation of Packer plugins. For more information, read the Packer documentation.

To install Packer Plugin cnspec:

  1. Copy and paste this code into your Packer configuration.
packer {
  required_plugins {
    cnspec = {
      version = ">= 10.0.0"
      source  = "github.com/mondoohq/cnspec"
    }
  }
}
  1. Run this command:
packer init /path/to/template.pkr.hcl

Install manually

You can find pre-built binary releases of the plugin here.

Once you have downloaded the latest archive corresponding to your target OS, uncompress it to retrieve the plugin binary file corresponding to your platform. To install the plugin, follow the Packer documentation on installing a plugin.

Build from source

If you prefer to build the plugin from source:

  1. Clone this GitHub repository locally.

  2. Run this command from the root directory: go build

  3. After you successfully compile, the packer-plugin-cnspec plugin binary file is in the root directory. Copy the binary into ~/.packer.d/plugins/ by running this command: make dev

  4. To install the compiled plugin, follow the Packer documentation on installing plugins.

After building the cnspec plugin successfully, use the latest version of Packer to build a machine and verify your changes. In the example folder we provide a basic template. To force Packer to use the development binary installed in the previous step, comment out the packer {} block.

To use the developer plugin, set the packer plugin environment variable:

export PACKER_PLUGIN_PATH=~/.packer.d/plugins
packer build amazon-linux-2.pkr.hcl

Configure Packer Plugin cnspec

NameDescriptionTypeDefaultRequired
annotationsApply custom annotations to Packer build assets to provide additional metadata for asset tracking.map of stringsNoneNo
asset_nameOverwrite the asset name in Mondoo Platform.stringNoneNo
on_failureSet on_failure = "continue" to ignore build failures that do not meet any set score_threshold.stringNoneNo
score_thresholdSet a score threshold for Packer builds [0-100]. Any scans that fall below the score_threshold will fail unless on_failure = "continue". To learn more, read How Mondoo scores policies in the Mondoo documentation.intNoneNo
sudoUse sudo to elevate permissions when running Mondoo scans.boolNoneNo
mondoo_config_pathThe path to the Mondoo's service account. Defaults to $HOME/.config/mondoo/mondoo.ymlstringNoneNo
outputSet output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")stringNoneNo
output_targetSet output target. E.g. path to local file result.xmlstringNoneNo

Example: Complete Configuration

A simple configuration where we set a score threshold of 85 and use sudo to elevate permissions when running the scans:

provisioner "cnspec" {
  on_failure      = "continue"
  score_threshold = 85
  sudo {
    active = true
  }
}

The following configuration shows how to set the output format to JUnit and the output target to test-results.xml:

provisioner "cnspec" {
  on_failure = "continue"
  output = "junit"
  output_target = "test-results.xml"
}

Sample Packer Templates

You can find example Packer templates in the examples directory in this repository. You can also find a GitHub Action workflow example of how to use cnspec to test builds as part of a CI/CD pipeline.

Get Started with cnspec

cnspec's benefits extend well beyond securing Packer builds! To start exploring, download cnspec.

Contributing

If you think you've found a bug in the code or you have a question about using this software, please reach out to us by opening an issue in this GitHub repository.

Contributions to this project are welcome! If you want to fix a bug, please do so by opening a pull request in this GitHub repository. If you want to add a feature, please start by opening an issue in this GitHub repository to discuss it with us beforehand.

Join the community!

Join the Mondoo Community GitHub Discussions to collaborate on policy as code and security automation.