// Use when writing MQL (Mondoo Query Language) queries, working with Mondoo MCP tools, or developing security policies
| name | mql |
| description | Use when writing MQL (Mondoo Query Language) queries, working with Mondoo MCP tools, or developing security policies |
This skill provides guidance for writing MQL (Mondoo Query Language) queries and validating them using either the cnspec CLI or Mondoo's MCP tools.
Two-tier knowledge system:
Located within this skill directory:
| File | Purpose |
|---|---|
| mql-reference.md | Complete MQL syntax and patterns |
| samples/general.md | General MQL patterns |
| samples/aws.md | AWS resource patterns |
| samples/azure.md | Azure resource patterns |
| samples/linux.md | Linux system patterns |
| samples/windows.md | Windows system patterns |
| samples/ms365.md | Microsoft 365 patterns |
Two equivalent interfaces are available for real-time schema lookup and query validation. Use whichever is available in your environment — they provide the same data.
The cnspec CLI provides structured JSON output for all schema operations. No MCP server required.
cnspec providers list --json
Returns an array of providers with name, version, and connectors:
[
{"name": "aws", "version": "13.6.2", "connectors": ["aws"]},
{"name": "os", "version": "13.8.1", "connectors": ["local", "ssh", "docker"]}
]
cnspec providers info aws --json
cnspec providers info aws azure --json # multiple providers
Returns connector details including available flags for each connection type.
cnspec providers resources aws --json
Returns all resources with name, title, and field count:
{
"provider": "aws",
"total_resources": 111,
"resources": [
{"name": "aws.ec2.instance", "title": "Amazon EC2 Instance", "field_count": 52}
]
}
cnspec providers resources aws aws.ec2.instance --json
Returns all fields with types and descriptions:
{
"name": "aws.ec2.instance",
"title": "Amazon EC2 Instance",
"fields": [
{"name": "arn", "type": "string", "title": "Amazon Resource Name"},
{"name": "tags", "type": "map[string]string", "title": "Instance tags"}
]
}
# Full compilation check — fails with exit 1 on invalid resources/fields
cnspec run local -c "asset.name" --ast
# Lexical parse only — checks syntax, NOT resource/field validity
cnspec run local -c "asset.name" --parse
Important: --parse accepts syntactically valid but semantically wrong queries (e.g., invalid.bogus.thing parses with exit 0). Use --ast to catch invalid resource or field names.
cnspec run local -c "users { name uid }" --json
# Lint a policy bundle with structured SARIF output
cnspec policy lint policy.mql.yaml -o sarif
# Format a policy bundle to standard style (modifies file in place)
cnspec policy format policy.mql.yaml
# Sort and format a policy bundle
cnspec policy format policy.mql.yaml --sort
# Generate an example policy bundle scaffold
cnspec policy init example.mql.yaml
If the Mondoo MCP server is available, you can use these tools instead of the CLI.
| MCP Tool | CLI Equivalent |
|---|---|
mcp__mondoo-mcp-http__mql-schema-providers | cnspec providers list --json |
mcp__mondoo-mcp-http__mql-schema-overview | cnspec providers resources <provider> --json |
mcp__mondoo-mcp-http__mql-schema-resource | cnspec providers resources <provider> <resource> --json |
mcp__mondoo-mcp-http__mql-schema-suggestion | No CLI equivalent (use LSP) |
mcp__mondoo-mcp-http__mql-compiler | cnspec run local -c "query" --ast |
mcp__mondoo-mcp-http__mql-bundle-lint | cnspec policy lint file.mql.yaml -o sarif |
mcp__mondoo-mcp-http__mql-bundle-format | cnspec policy format file.mql.yaml |
mcp__mondoo-mcp-http__mql-policy-bundle | cnspec policy init file.mql.yaml |
| Need | Best Option |
|---|---|
| MQL syntax patterns | mql-reference.md |
| Platform-specific examples | samples/*.md |
| Resource availability check | cnspec providers resources <provider> --json |
| Field types and descriptions | cnspec providers resources <provider> <resource> --json |
| Query compilation validation | cnspec run local -c "query" --ast |
| Policy structure validation | cnspec policy lint file.mql.yaml -o sarif |
# Basic resource access
resource.property == value
# Filtering
resources.where(condition).all(assertion)
# Data blocks
resource {
property1
property2 == expected_value
}
# Variables
v = 23
value = null
# Regular expression matching (NOT =~)
string == /pattern/
# Empty checks
value == empty
value != empty
# All entries must match
array.all(condition)
# At least one entry matches
array.contains(condition)
# No entries match
array.none(condition)
# Exactly one entry matches
array.one(condition)
# Filter entries
array.where(condition)
# Current item reference
array.where(_.contains("pattern"))
# File permissions
file("/etc/passwd").permissions {
user_readable == true
user_writeable == true
group_readable == true
other_readable == true
}
# Service status
service("ssh").running == true
service("telnet").enabled == false
# Package check
package("nginx").installed == true
# Kernel parameters
kernel.parameters['net.ipv4.ip_forward'] == 0
# Platform detection
asset.platform == "ubuntu"
asset.family.contains("linux")
# Don't use =~ for regex
string =~ /pattern/ # Bad
string == /pattern/ # Good
# Don't use deprecated platform
platform == "ubuntu" # Bad
asset.platform == "ubuntu" # Good
# Don't nest .where() clauses
events.where(parameters.where(_['name'] == "NEW_VALUE")) # Bad
events.where(parameters.any(_['name'] == "NEW_VALUE")) # Good
# Always handle null values
users.all(shell == "/bin/bash") # Bad
users.where(shell != null).all(shell == "/bin/bash") # Good
cnspec providers resources <provider> --jsonsamples/*.mdmql-reference.mdcnspec run local -c "query" --ast to verify syntaxcnspec run against target systemsaws.* resourcessamples/aws.md for IAM, EC2, S3 patternscnspec providers resources aws --jsonazure.subscription.* resourcessamples/azure.md for VM, storage, security patternsfile, service, package, users, kernel resourcessamples/linux.md for common patternsregistrykey, secpol, auditpol, windows resourcessamples/windows.md for registry and policy patternsmicrosoft.* resourcessamples/ms365.md for domain patterns