🛡️ devops-policies-cnspec-vmware
Security scanning, asset inventory, and compliance-as-code for VMware vSphere Foundation 9.0 using cnspec and cnquery by Mondoo.
Tool
Purpose
🔒 cnspec
Security policy scanning, vulnerability assessment, compliance checks
🔍 cnquery
Asset inventory, health queries, capacity reporting, incident response
├── 📂 .buildkite/
│ ├── 📄 pipeline.yml # Main Buildkite pipeline
│ ├── 📄 pipeline.scheduled.yml # Scheduled scans (daily/weekly)
│ └── 📂 scripts/ # Pipeline helper scripts
├── 📂 policies/
│ ├── 🔒 security/ # ESXi & vCenter hardening policies
│ ├── 📋 compliance/ # CIS, STIG, custom frameworks
│ └── ⚙️ operational/ # Operational best-practice policies
├── 📂 queries/
│ ├── 🖥️ inventory/ # Asset inventory query packs
│ ├── 🩺 health/ # Health check query packs
│ └── 📊 capacity/ # Capacity & utilization query packs
├── 📂 scripts/ # Utility scripts
└── 📂 reports/ # Report templates & output (gitignored)
Requirement
Version
Security & compliance scanner
Asset inventory & query engine
With network access to vCenter
Optional — for dashboards
# Install cnspec + cnquery" $( curl -sSL https://install.mondoo.com/sh) " # Interactive shell — explore your vSphere environment# Run a security scan with custom policies# Run an inventory query pack
Pipeline
Trigger
Description
⚡ pipeline.yml
PR / push
Validates policies, lint, dry-run
🕐 pipeline.scheduled.yml
Cron (daily)
Full security scan + inventory + vulnerability assessment
🔑 Required Buildkite Secrets
Secret
Description
VSPHERE_SERVERvCenter FQDN
VSPHERE_USERSSO username (user@domain)
VSPHERE_PASSWORDSSO password
MONDOO_SERVICE_TOKENMondoo Platform token (optional)
GITGUARDIAN_API_KEYGitGuardian secret scanning
SLACK_WEBHOOK_URLSlack notifications (optional)
🔒 Security Policies (cnspec)
Policy
Checks
Target
esxi-hardening.mql.yaml16
ESXi hosts — SSH, lockdown, TLS 1.3, FIPS, firewall, vSwitch
vcenter-hardening.mql.yaml10
vCenter — password policy, session timeout, TLS, logging
vm-hardening.mql.yaml13
VMs — isolation, devices, HW v22, EFI, Tools
📋 Compliance Policies (cnspec)
Policy
Framework
Controls
cis-esxi9.mql.yamlCIS Benchmark
16 scored controls across 7 sections
⚙️ Operational Policies (cnspec)
Pack
Queries
Purpose
full-inventory.mql.yaml8
Complete asset inventory — DCs, clusters, hosts, VMs, datastores
host-health.mql.yaml10
Uptime, services, hardware sensors, alarms, snapshots
cluster-capacity.mql.yaml8
Utilization, overcommit, powered-off waste, storage
✏️ Writing Custom Policies Policies use MQL (Mondoo Query Language). Example:
policies :
- uid : my-esxi-check
name : " My ESXi Check" groups :
- checks :
- uid : ssh-disabled
queries :
- uid : ssh-disabled
title : " SSH must be disabled on ESXi" mql : |
esxi.host {
services.where(key == "TSM-SSH") {
running == false
}
} 📖 See MQL vSphere Resource Reference for all available resources.
# Copy and configure credentials# Run everything# Or pick a specific mode# Security scans only# Vulnerability scan only# Asset inventory# Host health checks# Capacity report# Interactive cnquery shell
