Query Cloudflare
Query Cloudflare accounts, zones, DNS, certificates, and security settings with cnquery
Mondoo's cloudflare provider lets you use cnquery to query and inventory your Cloudflare resources. You can explore accounts, DNS zones and records, Workers and Pages projects, R2 storage buckets, Zero Trust applications, and video streams.
Requirements
To analyze your Cloudflare environment with cnquery, you must have:
- cnquery installed on your workstation
- A Cloudflare account with API access
- A Cloudflare API token with permissions for the resources you want to query (to learn how to create API tokens, read Create an API token in the Cloudflare documentation)
Configure access to Cloudflare
To create an API token:
- Log in to the Cloudflare dashboard.
- Navigate to My Profile > API Tokens.
- Select Create Token.
- Configure the token with the permissions you need.
- Copy the generated token.
Connect to Cloudflare
To query your Cloudflare account, provide your API token:
cnquery shell cloudflare --token YOUR_API_TOKENYou can also set the CLOUDFLARE_API_TOKEN environment variable instead of passing the flag:
export CLOUDFLARE_API_TOKEN=your_token_here
cnquery shell cloudflareExample queries
Accounts
List all Cloudflare accounts:
cnquery> cloudflare.accounts
cloudflare.accounts: [
0: cloudflare.account name="My Account"
...
]Check whether two-factor authentication is enforced for an account:
cnquery> cloudflare.accounts[0] { name settings { enforceTwoFactor } }
cloudflare.accounts[0]: {
name: "My Account"
settings: {
enforceTwoFactor: true
}
}Zones
List all DNS zones:
cnquery> cloudflare.zones
cloudflare.zones: [
0: cloudflare.zone name="example.com"
1: cloudflare.zone name="mysite.io"
...
]Retrieve details about a specific zone:
cnquery> cloudflare.zones[0] { name status type paused nameServers }
cloudflare.zones[0]: {
name: "example.com"
status: "active"
type: "full"
paused: false
nameServers: [
0: "anna.ns.cloudflare.com"
1: "bob.ns.cloudflare.com"
]
}DNS records
List DNS records for a zone:
cnquery> cloudflare.zones[0].dns.records
cloudflare.zones[0].dns.records: [
0: cloudflare.dns.record type="A" content="203.0.113.50" name="www"
1: cloudflare.dns.record type="CNAME" content="example.com" name="blog"
...
]Retrieve details for DNS records including proxy status and TTL:
cnquery> cloudflare.zones[0].dns.records { name type content ttl proxied }
cloudflare.zones[0].dns.records: [
0: {
name: "www"
type: "A"
content: "203.0.113.50"
ttl: 1
proxied: true
}
1: {
name: "blog"
type: "CNAME"
content: "example.com"
ttl: 3600
proxied: false
}
...
]Workers and Pages
List all Worker scripts:
cnquery> cloudflare.workers.workers
cloudflare.workers.workers: [
0: cloudflare.workers.worker id="my-api-worker"
1: cloudflare.workers.worker id="auth-handler"
...
]Retrieve details about a Worker script:
cnquery> cloudflare.workers.workers[0] { id deploymentId size logPush placementMode }
cloudflare.workers.workers[0]: {
id: "my-api-worker"
deploymentId: "abc123def456"
size: 24576
logPush: false
placementMode: "smart"
}List all Pages projects:
cnquery> cloudflare.workers.pages
cloudflare.workers.pages: [
0: cloudflare.workers.page projectName="my-website"
...
]Retrieve details about a Pages project:
cnquery> cloudflare.workers.pages[0] { projectName url productionBranch environment }
cloudflare.workers.pages[0]: {
projectName: "my-website"
url: "https://my-website.pages.dev"
productionBranch: "main"
environment: "production"
}R2 storage
List all R2 buckets:
cnquery> cloudflare.r2.buckets
cloudflare.r2.buckets: [
0: cloudflare.r2.bucket name="assets"
1: cloudflare.r2.bucket name="backups"
...
]Retrieve details about R2 buckets:
cnquery> cloudflare.r2.buckets { name location createdOn }
cloudflare.r2.buckets: [
0: {
name: "assets"
location: "ENAM"
createdOn: 2024-06-15 09:30:00 +0000 UTC
}
1: {
name: "backups"
location: "WEUR"
createdOn: 2024-08-20 14:00:00 +0000 UTC
}
...
]Zero Trust
List Zero Trust applications:
cnquery> cloudflare.one.apps
cloudflare.one.apps: [
0: cloudflare.one.app name="Internal Dashboard"
1: cloudflare.one.app name="Staging Environment"
...
]Retrieve details about a Zero Trust application:
cnquery> cloudflare.one.apps[0] { name domain type sessionDuration appLauncherVisible }
cloudflare.one.apps[0]: {
name: "Internal Dashboard"
domain: "dashboard.example.com"
type: "self_hosted"
sessionDuration: "24h"
appLauncherVisible: true
}List identity providers:
cnquery> cloudflare.one.identityProviders
cloudflare.one.identityProviders: [
0: cloudflare.one.idp name="Company Okta"
1: cloudflare.one.idp name="GitHub"
...
]Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Cloudflare resources and fields you can query, read the Cloudflare Resource Pack Reference.