Find where software is deployed across GitHub, AWS, GCP, Azure, and CrowdStrike using a common query language (CPE, PURL, or vendor/product/version).
# Core package (no cloud provider SDKs)
pip install assetquery
# With specific provider extras
pip install "assetquery[aws,github]"
# All providers
pip install "assetquery[all]"
# Or install as a CLI tool with uv / pipx
uv tool install "assetquery[all]"
pipx install "assetquery[all]"# 1. Copy the example config
cp config.example.yaml ~/.mallory/assetquery/config.yaml
# 2. Enable the providers you need and add credentials (see Providers below)
# 3. Check provider health
assetquery providers
# 4. List all assets
assetquery list
# 5. Find where a library is deployed
assetquery find "pkg:pypi/requests@2.28.0"# List everything from all enabled providers
assetquery list
# List from a specific provider
assetquery list --provider aws_resource_explorer
# List from multiple providers
assetquery list --provider aws_inspector,aws_security_hub
# Output as JSON
assetquery list --output json
# Verbose mode (debug output to stderr)
assetquery list -v# Find by CPE
assetquery find "cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*"
# Find by PURL
assetquery find "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"
# Find by vendor/product/version
assetquery find --vendor apache --product log4j --version 2.14.0
# Query specific providers only
assetquery find --provider github_dependabot,aws_inspector "pkg:pypi/requests@2.28.0"
# Batch from file (one CPE or PURL per line)
assetquery find --file targets.txt --output csvassetquery list --provider github_dep_graph --repo malloryai/webassetquery providersAll commands support --output (-o): table (default), json, jsonl, csv.
assetquery supports 11 providers across 5 platforms. Each provider has its own authentication and configuration — see the linked docs for details.
| Provider | What it queries | Docs |
|---|---|---|
github_dependabot |
Dependabot vulnerability alerts | docs/providers/github_dependabot.md |
github_dep_graph |
Dependency graph SBOMs | docs/providers/github_dep_graph.md |
Auth: GITHUB_TOKEN or gh auth login
| Provider | What it queries | Docs |
|---|---|---|
aws_inspector |
Inspector vulnerability findings | docs/providers/aws_inspector.md |
aws_security_hub |
Security Hub aggregated findings | docs/providers/aws_security_hub.md |
aws_resource_explorer |
Resource inventory (all services) | docs/providers/aws_resource_explorer.md |
Auth: AWS SDK credential chain (AWS_PROFILE, ~/.aws/credentials, env vars, IAM role)
| Provider | What it queries | Docs |
|---|---|---|
gcp_scc |
Security Command Center findings | docs/providers/gcp_scc.md |
gcp_cai |
Cloud Asset Inventory (resources) | docs/providers/gcp_cai.md |
Auth: Application Default Credentials (gcloud auth application-default login, GOOGLE_APPLICATION_CREDENTIALS)
| Provider | What it queries | Docs |
|---|---|---|
azure_resource_graph |
Resource Graph (resource inventory) | docs/providers/azure_resource_graph.md |
azure_defender |
Defender for Cloud assessments | docs/providers/azure_defender.md |
Auth: Azure SDK credential chain (az login, service principal env vars, managed identity)
| Provider | What it queries | Docs |
|---|---|---|
crowdstrike_spotlight |
Falcon Spotlight vulnerabilities | docs/providers/crowdstrike_spotlight.md |
Auth: CROWDSTRIKE_CLIENT_ID + CROWDSTRIKE_CLIENT_SECRET
| Provider | What it queries | Docs |
|---|---|---|
spektion |
Endpoint software inventory | docs/providers/spektion.md |
Auth: SPEKTION_API_KEY
Config file: ~/.mallory/assetquery/config.yaml
See config.example.yaml for a complete example with all providers.
Providers use ambient credentials where possible — API keys and secrets stay in your environment, not the config file.