Skip to content
Untitled design-Aug-24-2022-04-59-26-33-PM
Victoria JeffreyJanuary 31, 20233 min read

Understanding cnquery and cnspec: Open Source CLI Security Tools

Mondoo_graphics_Understanding cnquery and cnspec-02

If you're looking to improve the security of your infrastructure, cnquery and cnspec are tools you should know about. These open source command-line interface (CLI) tools are designed to gather information about and test the security posture of your infrastructure, including Linux, Windows, VMware, Kubernetes, AWS, Slack, GitHub, containers, images, and more.

But why would you use these tools? And what exactly do they do? In this article, we'll answer these questions and more, so you can decide if cnquery and cnspec are right for you.

What are cnquery and cnspec?

cnquery and cnspec are open source CLI security and infrastructure tools, developed by Mondoo. They are designed to help you gather information about and test the security posture of your infrastructure.

Why would I use them?

The short answer is, to improve the security of your infrastructure. By using cnquery and cnspec, you can discover and explore potential security issues, and then assert and test them to see if they are real problems. This way, you can proactively identify and fix security issues before they can be exploited by attackers.

How do they gather information?

cnquery and cnspec gather information in different ways. In some cases, they run system commands. Other times, these CLI tools read the locally stored or provided credentials to call APIs.

Where do they store information?

The information gathered by cnquery and cnspec is stored locally, in memory.

Why two tools?

While both cnquery and cnspec are designed to help you improve the security of your infrastructure, they serve slightly different purposes. Use cnquery to ask, discover, and explore. Use cnspec to assert and test.

Here are some examples:


cnquery run aws -c "aws.ec2.instances { publicIp }"
cnspec run aws -c "aws.ec2.instances.all(publicIp == ‘’)"


cnquery run k8s --discover pods -c "k8s.pod {  podSpec['volumes']  }" > mondootest.json
cnspec run k8s --discover pods -c "k8s.pod {  podSpec['volumes']  { _['hostPath']['path'] != '/run/containerd/containerd.sock' }}"


cnquery run ssh ec2-user@ -c "sshd.config.params" --sudo
cnspec run ssh ec2-user@ -c "sshd.config.params['PasswordAuthentication'] == 'no' && sshd.config.params['Protocol'] == 2" --sudo


cnquery run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches { protected name }"
cnspec run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches.where(isDefault == true) { protected == true protectionRules != null protectionRules {allowForce

Get started with cnquery and cnspec today

cnquery and cnspec are powerful open source CLI security and infrastructure tools that allow you to gather information about and test the security posture of your infrastructure. With cnquery, you can ask, discover, and explore, while cnspec is used to assert and test. To see a list of what you can scan with these tools, visit If you're interested in trying these tools yourself, you can quickly and easily download and install cnquery and cnspec.

How Mondoo's SaaS Platform Enhances cnspec and cnquery

While cnspec and cnquery are powerful open source CLI security tools on their own, Mondoo's SaaS platform takes them to the next level. Our platform provides additional functionality that can help you better understand and improve your security posture.

Some examples of how our SaaS platform enhances cnspec and cnquery include:

  • Visualization and Enrichment of Data: Our platform takes the raw data collected by cnspec and cnquery and presents it in a clear and easy-to-understand format. This makes it easier to identify areas that need attention and prioritize your efforts.
  • Critical Issue Identification: Our platform highlights the most critical issues (controls, advisories, and CVEs) that need to be fixed, so you can stay on top of your infrastructure security.
  • Continuous Scanning: With our SaaS platform, you can set up continuous scanning with cloud providers such as AWS Lambda and EBS volume scans. This helps you stay on top of changes and identify new vulnerabilities in real-time.
  • Integration with Kubernetes Controller: Our platform integrates with the Kubernetes controller, providing you with a comprehensive view of your infrastructure security.
  • Policy Management and Exception Definition: Our platform provides a UI where you can manage policies and define exceptions, making it easy to customize your infrastructure security.

Overall, Mondoo's SaaS platform provides additional capabilities that can help you better understand and improve your security posture. The platform provides a complete solution for continuous scanning and managing the vulnerabilities, advisories, and security controls of your infrastructure.


Victoria Jeffrey

Victoria Jeffrey (also known as vj) is an Engineering Manager/Software Engineer living near Denver, Colorado. She's been doing this coding and DevOps and security thing for over seven years now, and still loves every minute of it. Vj spends her free time hanging with her family, binging too much tv, and fulfilling her suburban mom obligations by going to pilates and trying to maintain a small herb garden.


view raw