Mondoo Open Source

Understanding cnquery and cnspec: Open Source CLI Security Tools

If you're looking to improve the security of your infrastructure, cnquery and cnspec are tools you should know about. These open source command-line interface (CLI) tools are designed to gather information about and test the security posture of your infrastructure, including Linux, Windows, VMware, Kubernetes, AWS, Slack, GitHub, containers, images, and more.

Mondoo_graphics_Understanding cnquery and cnspec-02

But why would you use these tools? And what exactly do they do? In this article, we'll answer these questions and more, so you can decide if cnquery and cnspec are right for you.

What are cnquery and cnspec?

cnquery and cnspec are open source CLI security and infrastructure tools, developed by Mondoo. They are designed to help you gather information about and test the security posture of your infrastructure.

Why would I use them?

The short answer is, to improve the security of your infrastructure. By using cnquery and cnspec, you can discover and explore potential security issues, and then assert and test them to see if they are real problems. This way, you can proactively identify and fix security issues before they can be exploited by attackers.

How do they gather information?

cnquery and cnspec gather information in different ways. In some cases, they run system commands. Other times, these CLI tools read the locally stored or provided credentials to call APIs.

Where do they store information?

The information gathered by cnquery and cnspec is stored locally, in memory.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Why two tools?

While both cnquery and cnspec are designed to help you improve the security of your infrastructure, they serve slightly different purposes. Use cnquery to ask, discover, and explore. Use cnspec to assert and test.

Here are some examples:


cnquery run aws -c "aws.ec2.instances { publicIp }"

cnspec run aws -c "aws.ec2.instances.all(publicIp == ‘’)"


cnquery run k8s --discover pods -c "k8s.pod {  podSpec['volumes']  }" > mondootest.json

cnspec run k8s --discover pods -c "k8s.pod {  podSpec['volumes']  { _['hostPath']['path'] != '/run/containerd/containerd.sock' }}"


cnquery run ssh ec2-user@ -c "sshd.config.params" --sudo

cnspec run ssh ec2-user@ -c "sshd.config.params['PasswordAuthentication'] == 'no' && sshd.config.params['Protocol'] == 2" --sudo


cnquery run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches { protected name }"

cnspec run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches.where(isDefault == true) { protected == true protectionRules != null protectionRules { allowForce }

Get started with cnquery and cnspec today

cnquery and cnspec are powerful open source CLI security and infrastructure tools that allow you to gather information about and test the security posture of your infrastructure. With cnquery, you can ask, discover, and explore, while cnspec is used to assert and test. To see a list of what you can scan with these tools, visit If you're interested in trying these tools yourself, you can quickly and easily download and install cnquery and cnspec.

How Mondoo's SaaS Platform Enhances cnspec and cnquery

While cnspec and cnquery are powerful open source CLI security tools on their own, Mondoo's SaaS platform takes them to the next level. Our platform provides additional functionality that can help you better understand and improve your security posture.

Some examples of how our SaaS platform enhances cnspec and cnquery include:

  • Visualization and Enrichment of Data: Our platform takes the raw data collected by cnspec and cnquery and presents it in a clear and easy-to-understand format. This makes it easier to identify areas that need attention and prioritize your efforts.
  • Critical Issue Identification: Our platform highlights the most critical issues (controls, advisories, and CVEs) that need to be fixed, so you can stay on top of your infrastructure security.
  • Continuous Scanning: With our SaaS platform, you can set up continuous scanning with cloud providers such as AWS Lambda and EBS volume scans. This helps you stay on top of changes and identify new vulnerabilities in real-time.
  • Integration with Kubernetes Controller: Our platform integrates with the Kubernetes controller, providing you with a comprehensive view of your infrastructure security.
  • Policy Management and Exception Definition: Our platform provides a UI where you can manage policies and define exceptions, making it easy to customize your infrastructure security.

Overall, Mondoo's SaaS platform provides additional capabilities that can help you better understand and improve your security posture. The platform provides a complete solution for continuous scanning and managing the vulnerabilities, advisories, and security controls of your infrastructure.

Victoria Jeffrey

Victoria Jeffrey (also known as vj) is an Engineering Manager/Software Engineer living near Denver, Colorado. She's been doing this coding and DevOps and security thing for over seven years now, and still loves every minute of it. Vj spends her free time hanging with her family, binging too much tv, and fulfilling her suburban mom obligations by going to pilates and trying to maintain a small herb garden.

You might also like

Mondoo June 2024 Release Highlights
Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights