assetquery 0.1.2

Asset query utility — find where software is deployed across GitHub, AWS, GCP, Azure, CrowdStrike, etc using CPE, PURL, or vendor/product/version.

assetquery – Asset Query Utility

Find where software is deployed across GitHub, AWS, GCP, Azure, and CrowdStrike using a common query language (CPE, PURL, or vendor/product/version).

Install

# Core package (no cloud provider SDKs)
pip install assetquery

# With specific provider extras
pip install "assetquery[aws,github]"

# All providers
pip install "assetquery[all]"

# Or install as a CLI tool with uv / pipx
uv tool install "assetquery[all]"
pipx install "assetquery[all]"

Quick start

# 1. Copy the example config
cp config.example.yaml ~/.mallory/assetquery/config.yaml

# 2. Enable the providers you need and add credentials (see Providers below)

# 3. Check provider health
assetquery providers

# 4. List all assets
assetquery list

# 5. Find where a library is deployed
assetquery find "pkg:pypi/requests@2.28.0"

Usage

Listing assets

# List everything from all enabled providers
assetquery list

# List from a specific provider
assetquery list --provider aws_resource_explorer

# List from multiple providers
assetquery list --provider aws_inspector,aws_security_hub

# Output as JSON
assetquery list --output json

# Verbose mode (debug output to stderr)
assetquery list -v

Finding specific software

# Find by CPE
assetquery find "cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*"

# Find by PURL
assetquery find "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"

# Find by vendor/product/version
assetquery find --vendor apache --product log4j --version 2.14.0

# Query specific providers only
assetquery find --provider github_dependabot,aws_inspector "pkg:pypi/requests@2.28.0"

# Batch from file (one CPE or PURL per line)
assetquery find --file targets.txt --output csv

Listing a single repo's SBOM

assetquery list --provider github_dep_graph --repo malloryai/web

Checking provider health

assetquery providers

Output formats

All commands support --output (-o): table (default), json, jsonl, csv.

Providers

assetquery supports 11 providers across 5 platforms. Each provider has its own authentication and configuration — see the linked docs for details.

GitHub

Provider	What it queries	Docs
github_dependabot	Dependabot vulnerability alerts	docs/providers/github_dependabot.md
github_dep_graph	Dependency graph SBOMs	docs/providers/github_dep_graph.md

Auth: GITHUB_TOKEN or gh auth login

AWS

Provider	What it queries	Docs
aws_inspector	Inspector vulnerability findings	docs/providers/aws_inspector.md
aws_security_hub	Security Hub aggregated findings	docs/providers/aws_security_hub.md
aws_resource_explorer	Resource inventory (all services)	docs/providers/aws_resource_explorer.md

Auth: AWS SDK credential chain (AWS_PROFILE, ~/.aws/credentials, env vars, IAM role)

GCP

Provider	What it queries	Docs
gcp_scc	Security Command Center findings	docs/providers/gcp_scc.md
gcp_cai	Cloud Asset Inventory (resources)	docs/providers/gcp_cai.md

Auth: Application Default Credentials (gcloud auth application-default login, GOOGLE_APPLICATION_CREDENTIALS)

Azure

Provider	What it queries	Docs
azure_resource_graph	Resource Graph (resource inventory)	docs/providers/azure_resource_graph.md
azure_defender	Defender for Cloud assessments	docs/providers/azure_defender.md

Auth: Azure SDK credential chain (az login, service principal env vars, managed identity)

CrowdStrike

Provider	What it queries	Docs
crowdstrike_spotlight	Falcon Spotlight vulnerabilities	docs/providers/crowdstrike_spotlight.md

Auth: CROWDSTRIKE_CLIENT_ID + CROWDSTRIKE_CLIENT_SECRET

Spektion

Provider	What it queries	Docs
spektion	Endpoint software inventory	docs/providers/spektion.md

Auth: SPEKTION_API_KEY

Configuration

Config file: ~/.mallory/assetquery/config.yaml

See config.example.yaml for a complete example with all providers.

Providers use ambient credentials where possible — API keys and secrets stay in your environment, not the config file.