Skip to content

Feature Request: Add --risk-threshold and --risk-scoring CLI Configuration to cnspec #1715

New issue
New issue
Open
Feature
Open
Feature Request: Add --risk-threshold and --risk-scoring CLI Configuration to cnspec#1715
Feature
Assignees
arlimus
Labels
enhancementNew feature or request
@scottford-io

Description

@scottford-io
scottford-io
opened on Jun 26, 2025

Is your feature request related to a problem? Please describe.

Introduce two new command-line options for cnspec to provide users with greater control over risk evaluation logic during scans:

  • --risk-threshold: Defines the minimum risk score or impact level required for a finding to contribute to a FAIL status.
  • --risk-scoring: Allows selection of the risk scoring model (e.g., CVSS, Mondoo custom scoring) to be applied during evaluation.

Problem Statement:

Today, cnspec evaluates checks and produces PASS/FAIL results, but there is limited flexibility for users to control how risk is factored into the outcome. For many organizations, especially those operating in complex or regulated environments, it is important to:

  • Suppress low-impact findings from contributing to a FAIL result.
  • Align risk scoring with internal standards or frameworks (e.g., CVSS-based, business-prioritized models).
  • Maintain consistent, customizable risk-based evaluation across environments.

Describe the solution you'd like

--risk-threshold 

- Defines the minimum risk score or impact level that triggers a FAIL for a finding.
- Example:
   ```sh
   cnspec scan aws --risk-threshold 5.0
   ```
  • Behavior:
    • Findings with risk scores below 5.0 are reported but do not cause an overall FAIL.
    • Findings with risk scores at or above 5.0 contribute to a FAIL status.

--risk-scoring
Allows users to select the risk scoring methodology applied during evaluation.
Supported values could include:

  • cvss — Use CVSS scores where applicable.
  • mondoo — Apply Mondoo’s native/custom risk scoring.
  • (Future) custom: — Provide a custom scoring model or mapping file.
  • Example: 
    cnspec scan aws --risk-scoring cvss

Benefits:

✅ Empowers users to tailor risk evaluation to their environment and priorities.
✅ Reduces noise from low-impact findings in automated pipelines.
✅ Supports alignment with organizational risk frameworks.
✅ Increases adoption for security-conscious, regulated industries.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions