If you're looking to improve the security of your infrastructure, cnquery and cnspec are tools you should know about. These open source command-line interface (CLI) tools are designed to gather information about and test the security posture of your infrastructure, including Linux, Windows, VMware, Kubernetes, AWS, Slack, GitHub, containers, images, and more.
But why would you use these tools? And what exactly do they do? In this article, we'll answer these questions and more, so you can decide if cnquery and cnspec are right for you.
cnquery and cnspec are open source CLI security and infrastructure tools, developed by Mondoo. They are designed to help you gather information about and test the security posture of your infrastructure.
The short answer is, to improve the security of your infrastructure. By using cnquery and cnspec, you can discover and explore potential security issues, and then assert and test them to see if they are real problems. This way, you can proactively identify and fix security issues before they can be exploited by attackers.
cnquery and cnspec gather information in different ways. In some cases, they run system commands. Other times, these CLI tools read the locally stored or provided credentials to call APIs.
The information gathered by cnquery and cnspec is stored locally, in memory.
While both cnquery and cnspec are designed to help you improve the security of your infrastructure, they serve slightly different purposes. Use cnquery to ask, discover, and explore. Use cnspec to assert and test.
Here are some examples:
cnquery run aws -c "aws.ec2.instances { publicIp }"
cnspec run aws -c "aws.ec2.instances.all(publicIp == ‘’)"
cnquery run k8s --discover pods -c "k8s.pod { podSpec['volumes'] }" > mondootest.json
cnspec run k8s --discover pods -c "k8s.pod { podSpec['volumes'] { _['hostPath']['path'] != '/run/containerd/containerd.sock' }}"
cnquery run ssh ec2-user@100.24.54.36 -c "sshd.config.params" --sudo
cnspec run ssh ec2-user@100.24.54.36 -c "sshd.config.params['PasswordAuthentication'] == 'no' && sshd.config.params['Protocol'] == 2" --sudo
cnquery run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches { protected name }"
cnspec run github repo mondoohq/cnspec --token $GITHUB_TOKEN -c "github.repository.branches.where(isDefault == true) { protected == true protectionRules != null protectionRules {allowForce
cnquery and cnspec are powerful open source CLI security and infrastructure tools that allow you to gather information about and test the security posture of your infrastructure. With cnquery, you can ask, discover, and explore, while cnspec is used to assert and test. To see a list of what you can scan with these tools, visit https://mondoo.com/docs/cnspec/cnspec-supported/. If you're interested in trying these tools yourself, you can quickly and easily download and install cnquery and cnspec.
While cnspec and cnquery are powerful open source CLI security tools on their own, Mondoo's SaaS platform takes them to the next level. Our platform provides additional functionality that can help you better understand and improve your security posture.
Some examples of how our SaaS platform enhances cnspec and cnquery include:
Overall, Mondoo's SaaS platform provides additional capabilities that can help you better understand and improve your security posture. The platform provides a complete solution for continuous scanning and managing the vulnerabilities, advisories, and security controls of your infrastructure.