policy-graph

name: policy-graph description: Navigates cnspec policy/framework bundles using graph commands. Use when exploring policies, finding checks, tracing compliance mappings, or understanding policy structure. allowed-tools: Bash Read Glob Grep

cnspec Policy Graph Navigation

Navigate and understand cnspec policy bundles (.mql.yaml files) using structured graph commands.

When to Use

• Exploring policy bundle structure ("what checks does this policy have?")
• Finding compliance mappings ("which framework controls map to this check?")
• Tracing relationships ("how does this framework relate to that check?")
• Understanding large bundles (10K+ line .mql.yaml files)
• Getting context for a specific check with its MQL code, impact, and docs

When NOT to Use

• Scanning assets with cnspec (cnspec scan)
• Writing MQL queries
• Linting bundles (cnspec policy lint)
• Editing policy YAML directly (use the Read/Edit tools for that)

Commands Reference

All commands support --json for structured output. Search also supports --kind, --tag, --impact, and --limit.

Graph Concepts

Node Types

• policy: A security policy (e.g., mondoo-linux-security)
• group: A group of checks within a policy (e.g., "SSH Configuration")
• check: A scoring query with MQL code and impact rating
• query: A data-only query (no scoring)
• framework: A compliance framework (e.g., CIS Benchmark, ISO 27001)
• control: A control within a framework (e.g., CIS 5.2.1)
• framework_map: Maps framework controls to policy checks

Edge Types

• contains: Structural parent-child (policy → group → check, framework → control)
• maps_to: Compliance mapping (control → check/policy via framework_map)
• depends_on: Policy/framework dependencies
• variant_of: Check variant relationship (parent → platform-specific variant)