mondoohq/cnquery: open source, cloud-native, graph-based asset inventory

cnquery

image
image

Open source, cloud-native asset inventory and discovery

cnquery is a cloud-native tool for querying your entire infrastructure. Built upon Mondoo's security data fabric, it answers thousands of questions about your infrastructure and integrates with over 850 resources across cloud accounts, Kubernetes, containers, services, VMs, APIs, and more.

image

Here are a few more examples:

# run a query and print the output
cnquery run -c "ports.listening { port process }"

# execute a query pack on a Docker image and print results as json
cnquery scan docker 14119a -f pack.mql.yaml -j

# open an interactive shell to an aws account
cnquery shell aws
> aws.ec2.instances{*}

📚 To learn more, read the cnquery docs.

Installation

Install cnquery with our installation script:

Linux and macOS

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

Windows

Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));
Install-Mondoo;

If you prefer manual installation, you can find the cnquery packages in our GitHub releases.

Interactive shell

The easiest way to explore cnquery is to use our interactive shell, which has auto-complete to guide you:

cnquery shell

Once inside the shell, you can enter MQL queries like this:

> asset { name title }

To learn more, use the help command.

To exit, either press CTRL + D or type exit.

You can run the shell against local and remote targets like k8s, aws, docker, and many more. Run --help to see a full list of supported providers.

Run simple queries

To run standalone queries in your shell, use the run command:

cnquery run <TARGET> -c <QUERY>

For example, this runs a query against your local system:

cnquery run -c "services { name running }"

For automation, it is often helpful to convert the output to JSON. Use -j or --json:

cnquery run local -c "services { * }" -j

You can then pipe the output to jq or other applications.

Query packs

You can combine multiple queries into query packs, which can run together. cnquery comes with default query packs out of the box for most systems. You can run:

cnquery scan

Without specifying anything else, cnquery tries to find and run the default query pack for the given system.

You can specify a query pack that you want to run. Use the --querypack argument:

cnquery scan --querypack incident-response

Custom query packs let you bundle queries to meet your specific needs. You can find a simple query pack example in examples/simple.mql.yaml. To run it:

cnquery scan -f examples/example-os.mql.yaml

Like all other commands, you can specify different providers like k8s, aws, docker, and many more. Run --help to see the full list of supported providers.

These files can also contain multiple query packs for many different target systems.

image

These files can also contain multiple query packs for many different target systems.

Explore your infrastructure in Mondoo Platform​

To more easily explore your infrastructure, sign up for a Mondoo Platform account. Mondoo's web-based console allows you to navigate, search, and arrange all of your assets.

To get started, contact us.

To learn about Mondoo Platform, read the Mondoo Platform docs or visit mondoo.com.

Distribute queries across your infrastructure with private query packs

You can create and share query packs using the Registry in the Mondoo Console. The Registry is a secure, private environment in your account where you store both Mondoo query packs and custom query packs. This lets you use the same query packs for all assets.

To use the Registry:

cnquery login --token TOKEN

Once set up, enable the query packs you want to use to collect your asset's data. For example, you can activate one or more AWS query packs in the Mondoo Console. Then run this command any time to collect the AWS information you need:

cnquery scan aws

To add custom query packs, you can upload them:

cnquery bundle upload mypack.mql.yaml

Supported targets

Target
Provider
Example
Ansible playbooks
ansible
cnquery shell ansible YOUR_PLAYBOOK.yml
Arista network devices
arista
cnquery shell arista DEVICE_PUBLIC_IP --ask-pass
Atlassian organizations
atlassian
cnquery shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN
AWS accounts
aws
cnquery shell aws
AWS CloudFormation templates
cloudformation
cnquery shell cloudformation cloudformation_file.json
AWS EC2 EBS snapshot
aws ec2 ebs snapshot
cnquery shell aws ec2 ebs snapshot SNAPSHOTID
AWS EC2 EBS volume
aws ec2 ebs volume
cnquery shell aws ec2 ebs volume VOLUMEID
AWS EC2 Instance Connect
aws ec2 instance-connect
cnquery shell aws ec2 instance-connect ec2-user@INSTANCEID
AWS EC2 instances
ssh
cnquery shell ssh user@host
Confluence users
atlassian
cnquery shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN
Container images
container, docker
cnquery shell container ubuntu:latest
Container registries
container registry
cnquery shell container registry index.docker.io/library/rockylinux:8
Dockerfiles
docker
cnquery shell docker file FILENAME
DNS records
host
cnquery shell host mondoo.com
GitHub organizations
github org
cnquery shell github org mondoohq
GitHub repositories
github repo
cnquery shell github repo mondoohq/cnquery
GitLab groups
gitlab
cnquery shell gitlab --group mondoohq
Google Cloud projects
gcp
cnquery shell gcp
Google Workspace
google-workspace
cnquery shell google-workspace --customer-id CUSTOMER_ID --impersonated-user-email EMAIL --credentials-path JSON_FILE
IoT devices
opcua
cnquery shell opcua
Jira projects
atlassian
cnquery shell atlassian --host YOUR_HOST_URL --admin-token YOUR_TOKEN
Kubernetes cluster nodes
local, ssh
cnquery shell ssh user@host
Kubernetes clusters
k8s
cnquery shell k8s
Kubernetes manifests
k8s
cnquery shell k8s manifest.yaml
Kubernetes workloads
k8s
cnquery shell k8s --discover pods,deployments
Linux hosts
local, ssh
cnquery shell local orcnquery shell ssh user@host
macOS hosts
local, ssh
cnquery shell local orcnquery shell ssh user@IP_ADDRESS
Microsoft 365 accounts
ms365
cnquery shell ms365 --tenant-id TENANT_ID --client-id CLIENT_ID --certificate-path PFX_FILE
Microsoft Azure instances
ssh
cnquery shell ssh user@host
Microsoft Azure subscriptions
azure
cnquery shell azure --subscription SUBSCRIPTION_ID
Okta org
okta
cnquery shell okta --token TOKEN --organization ORGANIZATION
Oracle Cloud Interface (OCI)
oci
cnquery shell oci
Running containers
docker
cnquery shell docker CONTAINER_ID
Shodan search engine
shodan
cnquery shell shodan
Slack team
slack
cnquery shell slack --token TOKEN
SSL certificates on websites
host
cnquery shell host mondoo.com
Terraform HCL
terraform
cnquery shell terraform HCL_FILE_OR_PATH
Terraform plan
terraform plan
cnquery shell terraform plan plan.json
Terraform state
terraform state
cnquery shell terraform state state.json
Vagrant virtual machines
vagrant
cnquery shell vagrant HOST
VMware Cloud Director
vcd
cnquery shell vcd user@domain@host --ask-pass
VMware vSphere
vsphere
cnquery shell vsphere user@domain@host --ask-pass
Windows hosts
local, ssh, winrm
cnquery shell localcnquery shell ssh Administrator@IP_ADDRESS --ask-pass orcnquery shell winrm Administrator@IP_ADDRESS --ask-pass

What's next?

There are so many things cnquery can do! Gather information about your infrastructure, find tool-sprawl across systems, run incident response, and share data with auditors… cnquery is nearly limitless in capabilities.

Explore:

Join the community!

Our goal is to become the API for your entire infrastructure. Join our community today and let's grow it together!

Development

See our development documentation for information on building and contributing to cnquery.

Legal

  • Copyright: 2018-2024, Mondoo, Inc.
  • License: BUSL 1.1
  • Authors: Christoph Hartmann, Dominik Richter