Query Your Infrastructure

Beyond policy-based scanning, cnspec lets you query any asset directly using MQL (Mondoo Query Language). MQL is a lightweight, fast query language built for searching and filtering infrastructure configuration data. Its data extraction resembles GraphQL, while its scripting approach is similar to JavaScript.

MQL integrates with hundreds of resources to retrieve information about your infrastructure.

Run a query in the cnspec shell

The interactive cnspec shell, with auto-complete, is the easiest way to query your systems:

cnspec shell TARGET

For example, to open a shell against the local system:

cnspec shell local

Or against a remote host over SSH:

cnspec shell ssh user@HOST

Inside the shell, type help to list available resources, or start typing a resource name and press Tab to auto-complete.

Run a single query from the command line

To run a single query without opening a shell, use cnspec run:

cnspec run TARGET -c QUERY

For...	Substitute...
`TARGET`	The asset to query, such as `local` or a transport to a remote machine.
`QUERY`	The MQL query that specifies the information you want.

Examples

List services and their running status on your local system:

cnspec run local -c "services.list { name running }"

Find all AWS EC2 instances with a public IP address:

aws.ec2.instances.where( publicIp != '' ) {
  instanceId
  region
  state
  tags
  publicIp
}

List all users with every available field:

users.list { * }

Find all container image repositories used in a Kubernetes cluster:

k8s.pods {
  name
  containers.map( containerImage.repository.fullName )
}

.map is a function for arrays that takes a given field and extracts it. Unlike block calls ({ .. }), it directly returns the given field.

Resources and fields

Resources are the building blocks for writing queries. They let you retrieve the configuration of an asset. Some examples:

asset — Information about the asset, including name, family, release, and more
user — User information, including name, UID, GID, home, shell, and more
packages — Package information, including name, version, installed, outdated, and more
k8s.container — Kubernetes container configuration, including imagePullPolicy, workingDir, and more
terraform.block — Terraform block arguments, attributes, and more

Each resource has fields that return specific configuration values. Retrieve multiple fields at once using braces:

asset { platform version arch }

For a full list of available resources, enter the help command within the cnspec shell, or browse the MQL resource reference.

Operators and functions

For information on MQL operators and functions, read Write Effective MQL.

Learn more

To run a saved bundle of queries against an asset, read Run a Query Pack.
To scan many assets at once, read Remote Scanning with Inventory Files.
To explore the capabilities of MQL, read the MQL docs.