Skill

policy-graph

Navigates cnspec policy/framework bundles with graph commands to explore policies, find checks, trace compliance mappings, and understand policy structure.

security

Popularity

Stars

429

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/cnspec-skills:policy-graph

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

BashReadGlobGrep

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Navigate and understand cnspec policy bundles (`.mql.yaml` files) using structured graph commands.

Supporting Files

README.mdcommands/policy-graph.mdreferences/graph-commands.mdreferences/navigation-patterns.md

SKILL.md

58 lines · ~640 tokens

Stats

LanguageGo

Stars429

Forks38

MaintenanceExcellent

Last CommitJun 18, 2026

Actions

View Source View Plugin View on GitHub View README

cnspec Policy Graph Navigation

Navigate and understand cnspec policy bundles (.mql.yaml files) using structured graph commands.

When to Use

Exploring policy bundle structure ("what checks does this policy have?")
Finding compliance mappings ("which framework controls map to this check?")
Tracing relationships ("how does this framework relate to that check?")
Understanding large bundles (10K+ line .mql.yaml files)
Getting context for a specific check with its MQL code, impact, and docs

When NOT to Use

Scanning assets with cnspec (cnspec scan)
Writing MQL queries
Linting bundles (cnspec policy lint)
Editing policy YAML directly (use the Read/Edit tools for that)

Commands Reference

Command	Purpose
`cnspec policy graph search <query> <path>`	Find nodes by name, title, or UID
`cnspec policy graph callers <uid> <path>`	What references this node (inbound edges)
`cnspec policy graph callees <uid> <path>`	What this node contains/references (outbound edges)
`cnspec policy graph context <uid> <path> [--depth N]`	LLM-friendly context with YAML snippets
`cnspec policy graph paths <from> <to> <path>`	Find paths between two nodes
`cnspec policy graph reachable <uid> <path>`	All nodes transitively reachable
`cnspec policy graph export <path> [--format json\|dot]`	Export full graph

All commands support --json for structured output. Search also supports --kind, --tag, --impact, and --limit.

Graph Concepts

Node Types

policy: A security policy (e.g., mondoo-linux-security)
group: A group of checks within a policy (e.g., "SSH Configuration")
check: A scoring query with MQL code and impact rating
query: A data-only query (no scoring)
framework: A compliance framework (e.g., CIS Benchmark, ISO 27001)
control: A control within a framework (e.g., CIS 5.2.1)
framework_map: Maps framework controls to policy checks

Edge Types

contains: Structural parent-child (policy → group → check, framework → control)
maps_to: Compliance mapping (control → check/policy via framework_map)
depends_on: Policy/framework dependencies
variant_of: Check variant relationship (parent → platform-specific variant)

policy-graph

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

policy-graph

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

cnspec Policy Graph Navigation

When to Use

When NOT to Use

Commands Reference

Graph Concepts

Node Types

Edge Types

Similar Skills

cnspec Policy Graph Navigation

When to Use

When NOT to Use

Commands Reference

Graph Concepts

Node Types

Edge Types

Similar Skills