Run a Query Pack
Query packs let you bundle multiple MQL queries together and run them against any asset with cnspec.
Query packs let you bundle multiple MQL queries into a single YAML file and run them together against an asset. Where policies evaluate checks and report pass/fail, query packs simply gather data. They use the same bundle format as policies and run with the same cnspec scan command.
You can find example query packs in the cnspec GitHub repo.
Run a local query pack
To run a query pack file against an asset, pass it to cnspec scan with the -f flag:
cnspec scan TARGET -f querypack.mql.yaml| For... | Substitute... |
|---|---|
TARGET | The asset to scan, such as local, ssh user@host, or aws. |
querypack.mql.yaml | The local path to a query pack bundle. You can also pass s3:// or https:// URLs. |
For example, to run a local query pack against your machine:
cnspec scan local -f incident-response.mql.yamlTo skip recording results in Mondoo Platform, add --incognito:
cnspec scan local -f incident-response.mql.yaml --incognitoEnable a query pack from Mondoo Platform
If you want Mondoo to run a query pack continuously across all matching assets in a space, enable it from the Mondoo Console rather than passing it to cnspec scan each time. To learn how, read Inventory Your Assets.
Create custom query packs
A query pack is a YAML bundle with one or more named queries:
packs:
- uid: my-pack
name: My example query pack
queries:
- uid: list-services
title: List running services
mql: services.where(running == true) { name }
- uid: list-users
title: List user accounts
mql: users { name uid shell }You can find more examples in the cnspec examples folder.
Query packs and policies share the same bundle format. The same cnspec scan -f command runs
either kind of bundle.
Learn more
- To run ad-hoc queries without a bundle, read Query Your Infrastructure.
- To scan many assets at once with a single command, read Remote Scanning with Inventory Files.
- To learn how queries differ from policy checks, read About Policies.