Write Custom Policies

Create Checks in cnspec Shell

Use cnspec's interactive shell to learn about checks

As you write the checks and queries in a policy, it helps to test your MQL before you add it to a bundle. cnspec provides an interactive shell in which you can explore. The shell helps you understand the checks that cnspec policies use, and write your own as well. It's also a great way to interact with both local and remote targets on the fly.

Run the shell:

cnspec shell local

The shell provides a help command to get information about the resources that power cnspec. Running help without any arguments lists every available MQL resource and its fields. Run help RESOURCE for details on a specific resource. For example:

cnspec> help ports

Returns this help:

ports:              TCP/IP ports on the system
  list []port:      All ports in use by processes (both listening and non-listening)
  listening []port: All listening ports

The shell also features auto-complete, which makes it easy to explore.

Once inside the shell, you can enter MQL queries to live test against your system. For example:

ports.listening.none( port == 23 )

To clear the terminal, type clear.

To exit the cnspec shell, press Ctrl + D or type exit.

Learn more

Make Policies Flexible with Variants

Use variants to change what a policy checks based on different conditions

Report Results

Control how cnspec reports scan results, including terminal output formats, JSON, YAML, JUnit, and SARIF for CI/CD integration.

On this page

Learn more