Secure Equinix Metal with cnspec
Scan Equinix Metal infrastructure against security and compliance best practices with cnspec.
Scan your Equinix Metal infrastructure to find security risks before they become incidents. cnspec evaluates organizations, projects, devices, SSH keys, and users — all without installing agents on your infrastructure.
Prerequisites
To scan Equinix Metal with cnspec, you must have:
- cnspec installed on your workstation
- An Equinix Metal account
- An Equinix Metal API token
Authenticate
Create an API token in Equinix Metal:
- Log in to the Equinix Metal console.
- Navigate to your user settings.
- Generate an API token.
You can pass the token on the command line with --token, or export it once and reuse it across commands:
export PACKET_AUTH_TOKEN=your_token_hereVerify with a quick Equinix Metal check
Confirm that cnspec can reach your Equinix Metal organization:
cnspec run equinix org ORG_ID -c 'equinix.metal.organization.id != empty'If cnspec connects, it prints the organization ID and confirms the check passed.
Scan Equinix Metal
Scan an organization:
cnspec scan equinix org ORG_IDScan a specific project:
cnspec scan equinix project PROJECT_IDYou can also create your own policies to meet your specific requirements.
Explore and test checks interactively
Open a cnspec shell against an organization or project:
cnspec shell equinix org ORG_IDcnspec shell equinix project PROJECT_IDRetrieve organization information
cnspec> equinix.metal.organizationList projects
cnspec> equinix.metal.projects { name id createdAt }List devices in a project
cnspec> equinix.metal.projects[0].devices { hostname state }Retrieve device details
cnspec> equinix.metal.devices { hostname state billingCycle os }List SSH keys
cnspec> equinix.metal.sshKeysList users
cnspec> equinix.metal.usersLearn more
- Equinix Resource Pack Reference — every Equinix Metal resource and field cnspec can query
- Write Effective MQL — guide to authoring checks and queries