The API for your entire infrastructure
Open source, cloud-native, graph-based asset inventory. Query your entire fleet—cloud accounts, Kubernetes, containers, services, VMs, APIs, and SaaS—with a single tool.
One tool. Every platform.
Why cnquery?
Stop jumping between cloud consoles, SSH sessions, and API documentation. cnquery gives you a unified interface to explore and query any infrastructure.
Universal Connectivity
40+ providers out of the box. AWS, Azure, Cisco, GCP, Kubernetes, GitHub, Okta, Microsoft 365, and dozens more—all with the same query language.
Graph-Based Data Model
Everything is stored in a graph, so you can traverse relationships between resources. Find all EC2 instances connected to a specific security group in one query.
MQL Query Language
Purpose-built query language that feels like writing code. Autocomplete in the shell, type safety, and expressive syntax for complex queries.
Query Packs
Bundle queries into reusable packs. Share with your team, version control them, and run standardized data collection across your fleet.
MQL: Query Language for Infrastructure
MQL is a graph-based query language designed specifically for infrastructure. Write expressive queries with auto-complete, traverse resource relationships, and get structured output in JSON, YAML, or CSV.
- Interactive shell with auto-complete and inline documentation
- Graph traversal to navigate resource relationships
- Structured output in JSON, YAML, CSV, or compact format
# Find all public S3 buckets cnquery> aws.s3.buckets.where( public == true ) { name location policy } # List EC2 instances with their security groups cnquery> aws.ec2.instances { instanceId state securityGroups { name vpcId } } # Check for unencrypted EBS volumes cnquery> aws.ec2.volumes.where(encrypted == false)
Built for Real Work
From incident response to compliance audits, cnquery handles the infrastructure queries that matter.
Find issues before they become incidents
Discover any listening port, identify the associated process, and swiftly access relevant fields.
Dive deep into your inventory
All resources have structured data fields and are connected to other resources in a graph.
Quickly collect information during incidents
Collect all information about compromised assets and services with fully automated query packs.
Auto-gather evidence for compliance audits
Avoid unnecessary screenshots by querying your infrastructure like a database.
One API for all your assets
Use the same resources across many different types of technologies to harmonize your data.
Built for automation
Run fully automated tasks for data discovery, collection, and export across your assets.
How It Works
Connect to anything, query everything, export anywhere.
Connect
Point cnquery at any target—AWS account, Kubernetes cluster, SSH host, or container image.
Query
Write MQL queries or use the interactive shell with auto-complete to explore resources.
Traverse
Follow relationships in the graph. Navigate from Kubernetes cluster to workloads to running container images.
Export
Output to JSON, YAML, or CSV. Pipe to other tools or store in your data platform.
Install in Seconds
Get started with a single command on any platform.
brew tap mondoohq/mondoo && brew install cnquery
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
cnquery & cnspec
Two open source CLI tools built for terminal and CI/CD pipelines
For exploration and ad-hoc queries. Like SQL for your infrastructure.
- Interactive shell
- Ad-hoc queries
- Data export (JSON, YAML, CSV)
- Scripting & automation
For policy enforcement and compliance scanning. Built on cnquery.
- Policy-based scanning
- Risk scoring
- CI/CD integration
- Remediation guidance
Start Querying Your Infrastructure
cnquery is free and open source. Join thousands of engineers using it for security, compliance, and operations.