cnquery

Open source, cloud-native asset inventory and discovery

cnquery is a cloud-native tool for querying your entire fleet. It answers thousands of questions about your infrastructure, and integrates with over 300 resources across cloud accounts, Kubernetes, containers, services, VMs, APIs, and more.

Here are a few more examples:

# run a query and print the output
cnquery run -c "ports.listening { port process }"

# execute a query pack on a Docker image and print results as json
cnquery scan docker 14119a -f pack.mql.yaml -j

# open an interactive shell to an aws account
cnquery shell aws
> aws.ec2.instances{*}

📚 To learn more, read the cnquery docs.

Installation

Install cnquery with our installation script:

Linux and macOS

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

Windows

Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));
Install-Mondoo;

If you prefer manual installation, you find the cnquery packages on GitHub releases.

Interactive shell

The easiest way to explore cnquery is to use our interactive shell, which has auto-complete to guide you:

cnquery shell

Once inside the shell, you can enter MQL queries like this:

> asset { name title }

To learn more, use the help command.

To exit, either press CTRL + D or type exit.

You can run the shell against local and remote targets like k8s, aws, docker, and many more. Run --help to see a full list of supported providers.

Run simple queries

To run standalone queries in your shell, use the run command:

cnquery run <TARGET> -c <QUERY>

For example, this runs a query against your local system:

cnquery run -c "services { name running }"

For automation, it is often helpful to convert the output to JSON. Use -j or --json:

cnquery run local -c "services { * }" -j

You can then pipe the output to jq or other applications.

Query packs

You can combine multiple queries into query packs, which can run together. cnquery comes with default query packs out of the box for most systems. You can run:

cnquery scan

Without specifying anything else, cnquery tries to find and run the default query pack for the given system.

You can specify a query pack that you want to run. Use the --querypack argument:

cnquery scan --querypack incident-response

You can also choose just one query from a query pack. Specify the query ID with the query pack:

cnquery scan --querypack incident-response --query-id sth-01

Custom query packs let you bundle queries to meet your specific needs. You can find a simple query pack example in examples/simple.mql.yaml. To run it:

cnquery scan -f examples/example-os.mql.yaml

Like all other commands, you can specify different providers like k8s, aws, docker, and many more. Run --help to see the full list of supported providers.

These files can also contain multiple query packs for many different target systems. For an example, see examples/multi-target.mql.yaml.

Explore your infrastructure in Mondoo Platform​

To more easily explore your infrastructure, sign up for a free Mondoo Platform account. Mondoo's web-based console allows you to navigate, search, and arrange all of your assets.

Go to console.mondoo.com to sign up.

To learn about Mondoo Platform, read the Mondoo Platform docs or visit mondoo.com.

Private query packs

Distributing queries across your fleet

You can create and share query packs using the Query Hub feature of the Mondoo Console. The Query Hub creates a secure, private environment in your account that stores data about your assets. It makes it very easy for all assets to report on query packs and define custom rules for your fleet.

To use the Query Hub:

cnquery login --token TOKEN

Once set up, activate the packs, and you can collect your asset's data (for example, aws):

cnquery scan aws

To add custom query packs, you can upload them:

cnquery bundle upload mypack.mql.yaml

Supported targets

Target	Provider	Example
AWS accounts	aws	cnquery shell aws
AWS EC2 instances	ssh	cnquery shell ssh user@host
AWS EC2 Instance Connect	aws ec2 instance-connect	cnquery shell aws ec2 instance-connect ec2-user@INSTANCEID
AWS EC2 EBS snapshot	aws ec2 ebs snapshot	cnquery shell aws ec2 ebs snapshot SNAPSHOTID
AWS EC2 EBS volume	aws ec2 ebs volume	cnquery shell aws ec2 ebs volume VOLUMEID
Container images	container, docker	cnquery shell container ubuntu:latest
Container registries	container registry	cnquery shell container registry index.docker.io/library/rockylinux:8
DNS records	host	cnquery shell host mondoo.com
GitHub organizations	github org	cnquery shell github org mondoohq
GitHub repositories	github repo	cnquery shell github repo mondoohq/cnquery
GitLab groups	gitlab	cnquery shell gitlab --group mondoohq
Google Cloud projects	gcp	cnquery shell gcp
Google Workspace	google-workspace	cnquery shell google-workspace --customer-id CUSTOMER_ID --impersonated-user-email EMAIL --credentials-path JSON_FILE
Kubernetes cluster nodes	local, ssh	cnquery shell ssh user@host
Kubernetes clusters	k8s	cnquery shell k8s
Kubernetes manifests	k8s	cnquery shell k8s manifest.yaml
Kubernetes workloads	k8s	cnquery shell k8s --discover pods,deployments
Linux hosts	local, ssh	cnquery shell local or cnquery shell ssh user@host
macOS hosts	local, ssh	cnquery shell local or cnquery shell ssh user@IP_ADDRESS
Microsoft 365 tenants	ms365	cnquery shell ms365 --tenant-id TENANT_ID --client-id CLIENT_ID --certificate-path PFX_FILE
Microsoft Azure subscriptions	azure	cnquery shell azure --subscription SUBSCRIPTION_ID
Microsoft Azure instances	ssh	cnquery shell ssh user@host
Okta	okta	cnquery shell okta --token TOKEN --organization ORGANIZATION
Running containers	docker	cnquery shell docker CONTAINER_ID
Slack	slack	cnquery shell slack --token TOKEN
SSL certificates on websites	host	cnquery shell host mondoo.com
Terraform HCL	terraform hcl	cnquery shell terraform <directory> HCL_FILE_OR_PATH
Terraform plan	terraform plan	cnquery shell terraform plan <plan.json> json
Terraform state	terraform state	cnquery shell terraform state <state_file>.json
Vagrant virtual machines	vagrant	cnquery shell vagrant HOST
VMware vSphere	vsphere	cnquery shell vsphere user@domain@host --ask-pass
Windows hosts	local, ssh, winrm	cnquery shell local, cnquery shell ssh Administrator@IP_ADDRESS --ask-pass or cnquery shell winrm Administrator@IP_ADDRESS --ask-pass

What's next?

There are so many things cnquery can do! Gather information about your fleet, find tool-sprawl across systems, run incident response, and share data with auditors… cnquery is nearly limitless in capabilities.

Explore:

• cnquery docs
• Query packs
• MQL introduction
• MQL language reference
• cnspec, our open source, cloud-native security scanner

Join the community!

Our goal is to become the API for your entire infrastructure. Join our community today and let's grow it together!

Development

See our development documentation for information on building and contributing to cnquery.

Legal

• Copyright: 2018-2023, Mondoo, Inc.
• License: MPLv2
• Authors: Christoph Hartmann, Dominik Richter

Trivial Change for Testing.