Run a Query Pack

Query packs let you bundle multiple MQL queries into a single YAML file and run them together against an asset. Where policies evaluate checks and report pass/fail results, query packs gather and report data without scoring it. Query packs use the same bundle format as policies and run with the same cnspec scan command.

You can find example query packs in the cnspec GitHub repo.

Run a local query pack

To run a query pack file against an asset, pass it to cnspec scan with the -f flag:

cnspec scan TARGET -f querypack.mql.yaml

For example, to run a local query pack against your machine:

cnspec scan local -f incident-response.mql.yaml

To skip recording results in Mondoo Platform, add --incognito:

cnspec scan local -f incident-response.mql.yaml --incognito

Enable a query pack from Mondoo Platform

To run a query pack continuously across every matching asset in a space, enable it from the Mondoo App instead of passing it to cnspec scan each time. For step-by-step instructions, read Inventory Your Assets.

Create a custom query pack

A query pack is a YAML bundle with one or more named queries:

packs:
  - uid: my-pack
    name: My example query pack
    queries:
      - uid: list-services
        title: List running services
        mql: services.where(running == true) { name }
      - uid: list-users
        title: List user accounts
        mql: users { name uid shell }

Each query needs a uid (a unique identifier within the bundle), a title, and the mql query to run. You can find more examples in the cnspec examples folder.

Learn more

• To run ad-hoc queries without a bundle, read Query Your Infrastructure.
• To scan many assets at once with a single command, read Remote Scanning with Inventory Files.
• To learn how queries differ from policy checks, read About Policies.