Skip to main content

Run a Query Pack

To run multiple queries together, you can combine queries into query packs. You can find query packs in Mondoo's cnquery-packs GitHub repo.

Let cnquery choose the right query pack​

cnquery comes with query packs out of the box for most systems. You can run:

cnquery scan local

Without any more specifics, cnquery tries to find and run the default query pack for the given system.

Run a specific query pack​

To specify a query pack that you want to run, use the --querypack argument:

cnquery scan TARGET --querypack PACKNAME
For...Substitute...
TARGETThe asset to query, such as local or a transport to a remote machine.
PACKNAMEThe name of the pack to run.

For example, this command runs a query pack named incident-response:

cnquery scan local --querypack incident-response

Run a single query from a pack​

You can also choose just one query from a query pack. Specify the query UID with the query pack:

cnquery scan TARGET --querypack PACKNAME --query-id QUERYUID
For...Substitute...
TARGETThe asset to query, such as local or a transport to a remote machine.
PACKNAMEThe name of the pack that contains the query you want to run.
QUERYUIDThe unique identifier of the query you want to run. Find this in the query pack's YAML file.

For example, this command runs the query named sth-01 from the pack named incident-response:

cnquery scan local --querypack incident-response --query-id sth-01

Create custom query packs​

Custom query packs let you bundle queries to meet your specific needs. To help you get started, you can find simple query pack examples in the cnquery repo's examples folder.