Asset query utility — find where software is deployed across GitHub, AWS, GCP, Azure, CrowdStrike, etc using CPE, PURL, or vendor/product/version.
Project description
assetquery – Asset Query Utility
Find where software is deployed across GitHub, AWS, GCP, Azure, and CrowdStrike using a common query language (CPE, PURL, or vendor/product/version).
Install
# Core package (no cloud provider SDKs)
pip install assetquery
# With specific provider extras
pip install "assetquery[aws,github]"
# All providers
pip install "assetquery[all]"
# Or install as a CLI tool with uv / pipx
uv tool install "assetquery[all]"
pipx install "assetquery[all]"
Quick start
# 1. Copy the example config
cp config.example.yaml ~/.mallory/assetquery/config.yaml
# 2. Enable the providers you need and add credentials (see Providers below)
# 3. Check provider health
assetquery providers
# 4. List all assets
assetquery list
# 5. Find where a library is deployed
assetquery find "pkg:pypi/requests@2.28.0"
Usage
Listing assets
# List everything from all enabled providers
assetquery list
# List from a specific provider
assetquery list --provider aws_resource_explorer
# List from multiple providers
assetquery list --provider aws_inspector,aws_security_hub
# Output as JSON
assetquery list --output json
# Verbose mode (debug output to stderr)
assetquery list -v
Finding specific software
# Find by CPE
assetquery find "cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*"
# Find by PURL
assetquery find "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"
# Find by vendor/product/version
assetquery find --vendor apache --product log4j --version 2.14.0
# Query specific providers only
assetquery find --provider github_dependabot,aws_inspector "pkg:pypi/requests@2.28.0"
# Batch from file (one CPE or PURL per line)
assetquery find --file targets.txt --output csv
Listing a single repo's SBOM
assetquery list --provider github_dep_graph --repo malloryai/web
Checking provider health
assetquery providers
Output formats
All commands support --output (-o): table (default), json, jsonl, csv.
Providers
assetquery supports 11 providers across 5 platforms. Each provider has its own authentication and configuration — see the linked docs for details.
GitHub
| Provider | What it queries | Docs |
|---|---|---|
github_dependabot |
Dependabot vulnerability alerts | docs/providers/github_dependabot.md |
github_dep_graph |
Dependency graph SBOMs | docs/providers/github_dep_graph.md |
Auth: GITHUB_TOKEN or gh auth login
AWS
| Provider | What it queries | Docs |
|---|---|---|
aws_inspector |
Inspector vulnerability findings | docs/providers/aws_inspector.md |
aws_security_hub |
Security Hub aggregated findings | docs/providers/aws_security_hub.md |
aws_resource_explorer |
Resource inventory (all services) | docs/providers/aws_resource_explorer.md |
Auth: AWS SDK credential chain (AWS_PROFILE, ~/.aws/credentials, env vars, IAM role)
GCP
| Provider | What it queries | Docs |
|---|---|---|
gcp_scc |
Security Command Center findings | docs/providers/gcp_scc.md |
gcp_cai |
Cloud Asset Inventory (resources) | docs/providers/gcp_cai.md |
Auth: Application Default Credentials (gcloud auth application-default login, GOOGLE_APPLICATION_CREDENTIALS)
Azure
| Provider | What it queries | Docs |
|---|---|---|
azure_resource_graph |
Resource Graph (resource inventory) | docs/providers/azure_resource_graph.md |
azure_defender |
Defender for Cloud assessments | docs/providers/azure_defender.md |
Auth: Azure SDK credential chain (az login, service principal env vars, managed identity)
CrowdStrike
| Provider | What it queries | Docs |
|---|---|---|
crowdstrike_spotlight |
Falcon Spotlight vulnerabilities | docs/providers/crowdstrike_spotlight.md |
Auth: CROWDSTRIKE_CLIENT_ID + CROWDSTRIKE_CLIENT_SECRET
Spektion
| Provider | What it queries | Docs |
|---|---|---|
spektion |
Endpoint software inventory | docs/providers/spektion.md |
Auth: SPEKTION_API_KEY
Configuration
Config file: ~/.mallory/assetquery/config.yaml
See config.example.yaml for a complete example with all providers.
Providers use ambient credentials where possible — API keys and secrets stay in your environment, not the config file.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file assetquery-0.1.0.tar.gz.
File metadata
- Download URL: assetquery-0.1.0.tar.gz
- Upload date:
- Size: 54.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
509cb89e4b8c717a7a4f98948d220a7a15da0f5ba648b466010385ae213148f7
|
|
| MD5 |
9c71b2dcc7054a4c79bdb1f68b9e9a93
|
|
| BLAKE2b-256 |
ac3a6495cf7954dd19a484d97a1964c72ade46e355868c98f4cc00944b8d7cfe
|
File details
Details for the file assetquery-0.1.0-py3-none-any.whl.
File metadata
- Download URL: assetquery-0.1.0-py3-none-any.whl
- Upload date:
- Size: 73.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a903e7ecbdbd43222648cb426659cbb3c2e9923f41c28e400f5a20738d5feaf6
|
|
| MD5 |
f939552ed4ac2fd65e9661844a80a013
|
|
| BLAKE2b-256 |
00845397bbc727ef8b33bf1b335e6d29ef70f1f2bdf94c6a06df631db214c044
|
