Mondoo
Docs
SaaS

Query Cloudflare

Query Cloudflare accounts, zones, DNS, certificates, and security settings with cnquery

Mondoo's cloudflare provider lets you use cnquery to query and inventory your Cloudflare resources. You can explore accounts, DNS zones and records, Workers and Pages projects, R2 storage buckets, Zero Trust applications, and video streams.

Requirements

To analyze your Cloudflare environment with cnquery, you must have:

Configure access to Cloudflare

To create an API token:

  1. Log in to the Cloudflare dashboard.
  2. Navigate to My Profile > API Tokens.
  3. Select Create Token.
  4. Configure the token with the permissions you need.
  5. Copy the generated token.

Connect to Cloudflare

To query your Cloudflare account, provide your API token:

cnquery shell cloudflare --token YOUR_API_TOKEN

You can also set the CLOUDFLARE_API_TOKEN environment variable instead of passing the flag:

export CLOUDFLARE_API_TOKEN=your_token_here
cnquery shell cloudflare

Example queries

Accounts

List all Cloudflare accounts:

cnquery> cloudflare.accounts
cloudflare.accounts: [
  0: cloudflare.account name="My Account"
  ...
]

Check whether two-factor authentication is enforced for an account:

cnquery> cloudflare.accounts[0] { name settings { enforceTwoFactor } }
cloudflare.accounts[0]: {
  name: "My Account"
  settings: {
    enforceTwoFactor: true
  }
}

Zones

List all DNS zones:

cnquery> cloudflare.zones
cloudflare.zones: [
  0: cloudflare.zone name="example.com"
  1: cloudflare.zone name="mysite.io"
  ...
]

Retrieve details about a specific zone:

cnquery> cloudflare.zones[0] { name status type paused nameServers }
cloudflare.zones[0]: {
  name: "example.com"
  status: "active"
  type: "full"
  paused: false
  nameServers: [
    0: "anna.ns.cloudflare.com"
    1: "bob.ns.cloudflare.com"
  ]
}

DNS records

List DNS records for a zone:

cnquery> cloudflare.zones[0].dns.records
cloudflare.zones[0].dns.records: [
  0: cloudflare.dns.record type="A" content="203.0.113.50" name="www"
  1: cloudflare.dns.record type="CNAME" content="example.com" name="blog"
  ...
]

Retrieve details for DNS records including proxy status and TTL:

cnquery> cloudflare.zones[0].dns.records { name type content ttl proxied }
cloudflare.zones[0].dns.records: [
  0: {
    name: "www"
    type: "A"
    content: "203.0.113.50"
    ttl: 1
    proxied: true
  }
  1: {
    name: "blog"
    type: "CNAME"
    content: "example.com"
    ttl: 3600
    proxied: false
  }
  ...
]

Workers and Pages

List all Worker scripts:

cnquery> cloudflare.workers.workers
cloudflare.workers.workers: [
  0: cloudflare.workers.worker id="my-api-worker"
  1: cloudflare.workers.worker id="auth-handler"
  ...
]

Retrieve details about a Worker script:

cnquery> cloudflare.workers.workers[0] { id deploymentId size logPush placementMode }
cloudflare.workers.workers[0]: {
  id: "my-api-worker"
  deploymentId: "abc123def456"
  size: 24576
  logPush: false
  placementMode: "smart"
}

List all Pages projects:

cnquery> cloudflare.workers.pages
cloudflare.workers.pages: [
  0: cloudflare.workers.page projectName="my-website"
  ...
]

Retrieve details about a Pages project:

cnquery> cloudflare.workers.pages[0] { projectName url productionBranch environment }
cloudflare.workers.pages[0]: {
  projectName: "my-website"
  url: "https://my-website.pages.dev"
  productionBranch: "main"
  environment: "production"
}

R2 storage

List all R2 buckets:

cnquery> cloudflare.r2.buckets
cloudflare.r2.buckets: [
  0: cloudflare.r2.bucket name="assets"
  1: cloudflare.r2.bucket name="backups"
  ...
]

Retrieve details about R2 buckets:

cnquery> cloudflare.r2.buckets { name location createdOn }
cloudflare.r2.buckets: [
  0: {
    name: "assets"
    location: "ENAM"
    createdOn: 2024-06-15 09:30:00 +0000 UTC
  }
  1: {
    name: "backups"
    location: "WEUR"
    createdOn: 2024-08-20 14:00:00 +0000 UTC
  }
  ...
]

Zero Trust

List Zero Trust applications:

cnquery> cloudflare.one.apps
cloudflare.one.apps: [
  0: cloudflare.one.app name="Internal Dashboard"
  1: cloudflare.one.app name="Staging Environment"
  ...
]

Retrieve details about a Zero Trust application:

cnquery> cloudflare.one.apps[0] { name domain type sessionDuration appLauncherVisible }
cloudflare.one.apps[0]: {
  name: "Internal Dashboard"
  domain: "dashboard.example.com"
  type: "self_hosted"
  sessionDuration: "24h"
  appLauncherVisible: true
}

List identity providers:

cnquery> cloudflare.one.identityProviders
cloudflare.one.identityProviders: [
  0: cloudflare.one.idp name="Company Okta"
  1: cloudflare.one.idp name="GitHub"
  ...
]

Learn more

Atlassian

Query Atlassian Cloud Jira, Confluence, and Admin with cnquery

GitHub

Query GitHub configuration with cnquery

On this page

RequirementsConfigure access to CloudflareConnect to CloudflareExample queriesAccountsZonesDNS recordsWorkers and PagesR2 storageZero TrustLearn more