⭐ Add jamf provider

Adds a new Jamf Pro provider to mql, enabling queries against
Jamf-managed infrastructure via the Jamf Pro API. Authentication
uses OAuth2 client credentials (flags or JAMF_CLIENT_ID /
JAMF_CLIENT_SECRET / JAMF_INSTANCE_DOMAIN env vars).

Resources:
- jamf — root, exposes computerInventory, computerInventoryCount,
  packages, sso, version, users, computerGroups
- jamf.computer — computer inventory record (hardware, OS, security
  posture, enrollment state, local user accounts)
- jamf.computer.localUserAccount — local user account on a managed Mac
- jamf.package — software package definition
- jamf.ssoSettings — SSO configuration (singleton)
- jamf.computerGroup — smart or static computer group
- jamf.user — Jamf user directory entry
- jamf.userByName — lookup a Jamf user by username via init()

Also bumps go-git/v5 transitively in the jamf module to address
GHSA-3xc5-wrhm-f963, and fixes a stale cnquery/v9 reference in the
mql scan command output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -279,6 +279,7 @@ ipsetreferencestatement
 isos
 issuewild
 istio
+itunes
 ixgbe
 jamf
 JFi
@@ -535,6 +536,7 @@ secureboot
 selfservice
 sentinelone
 serde
+SInstall
 serviceconnection
 servicedesk
 serviceprincipals

CLAUDE.md

@@ -518,6 +518,7 @@ for {
   - ✗ `{platformVersion}` single-scalar config — flatten to `fargatePlatformVersion` on parent
   - ✗ `{hostPath, containerPath, permissions}` device / `{containerPath, size, mountOptions}` tmpfs — use `[]dict`
 - Every resource and field has an explicit entry in `.lr.versions`. New entries must use the **next patch version** after the provider's current version (e.g., if the provider is at `13.1.1`, new fields should be `13.1.2`). The provider's current version is in `providers/<name>/config/config.go` (look for the `Version` field). Do **not** rely on the highest version in `.lr.versions` — it may be stale from before a major version bump. The `versions` command does this automatically, but verify the result. Existing entries are never overwritten.
+  - **Exception — brand-new, unreleased provider:** if the provider is being introduced in this PR (its `config.go` `Version` has not shipped yet), every entry in `.lr.versions` is part of the initial release and should equal that version — not `version + 1`. The "next patch" rule applies only to fields added *after* a version has shipped. For example, a new provider at `13.0.0` has all entries at `13.0.0`; a subsequent PR that adds a field bumps that one entry to `13.0.1`.
 - **Match SDK types faithfully:** If an SDK field is `*bool`, use `bool` in `.lr` and `llx.BoolDataPtr()` in Go — don't cast it to `string`. If an SDK enum has only two states (Enabled/Disabled), prefer `bool`. Use `*type` intermediate variables with `llx.*DataPtr` helpers to preserve nil semantics.
 - **Consistency with existing fields:** Before adding new fields to a resource, check how its existing fields handle pointers, nil checks, and type conversions. Follow the same pattern.
 - **Verify enum values in `.lr` comments:** When listing possible values in field comments, check the SDK/API docs for completeness — don't assume the set is closed.

Makefile

@@ -217,6 +217,7 @@ PROVIDERS := \
 	hetzner \
 	ipinfo \
 	ipmi \
+	jamf \
 	k8s \
 	kustomize \
 	mondoo \

providers/defaults.go

@@ -351,6 +351,21 @@ var DefaultProviders Providers = map[string]*Provider{
 		},
 	},
 
+	"jamf": {
+		Provider: &plugin.Provider{
+			Name:            "jamf",
+			ID:              "go.mondoo.com/mql/providers/jamf",
+			ConnectionTypes: []string{"jamf"},
+			Connectors: []plugin.Connector{
+				{
+					Name:  "jamf",
+					Use:   "jamf",
+					Short: "a Jamf Pro instance",
+				},
+			},
+		},
+	},
+
 	"junos": {
 		Provider: &plugin.Provider{
 			Name:            "junos",

providers/jamf/config/config.go

@@ -0,0 +1,64 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package config
+
+import (
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers/jamf/provider"
+)
+
+var Config = plugin.Provider{
+	Name:            "jamf",
+	ID:              "go.mondoo.com/mql/providers/jamf",
+	Version:         "13.0.0",
+	ConnectionTypes: []string{provider.ConnectionType},
+	Connectors: []plugin.Connector{
+		{
+			Name:  "jamf",
+			Use:   "jamf",
+			Short: "a Jamf Pro account",
+			Long: `Use the Jamf provider to query a Jamf Pro instance.
+
+To access the Jamf Pro API, you need your instance domain and API credentials.
+
+Examples:
+  mql shell jamf --client-id <your-client-id> --client-secret <your-client-secret> --instance-domain https://yourdomain.jamfcloud.com
+  cnspec scan jamf --client-id <your-client-id> --client-secret <your-client-secret> --instance-domain https://yourdomain.jamfcloud.com
+`,
+			Flags: []plugin.Flag{
+				{
+					Long:    "client-id",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Jamf Pro API client ID",
+				},
+				{
+					Long:        "client-secret",
+					Type:        plugin.FlagType_String,
+					Default:     "",
+					Desc:        "Jamf Pro API client secret",
+					Option:      plugin.FlagOption_Password,
+					ConfigEntry: "-",
+				},
+				{
+					Long:    "instance-domain",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Jamf Pro domain (e.g., https://yourdomain.jamfcloud.com)",
+				},
+			},
+		},
+	},
+	AssetUrlTrees: []*inventory.AssetUrlBranch{
+		{
+			PathSegments: []string{"technology=saas", "provider=jamf"},
+			Key:          "kind",
+			Title:        "Kind",
+			Values: map[string]*inventory.AssetUrlBranch{
+				"api": nil,
+			},
+		},
+	},
+}

providers/jamf/connection/connection.go

@@ -0,0 +1,121 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package connection
+
+import (
+	"errors"
+	"strings"
+	"sync"
+
+	"github.com/deploymenttheory/go-api-sdk-jamfpro/sdk/jamfpro"
+	"github.com/rs/zerolog/log"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/vault"
+)
+
+type JamfConnection struct {
+	plugin.Connection
+	Conf   *inventory.Config
+	asset  *inventory.Asset
+	Client *jamfpro.Client
+
+	// localUserAccounts caches per-computer local user accounts from the
+	// initial inventory fetch, keyed by computer ID. This avoids N+1 API
+	// calls when iterating computerInventory then accessing localUserAccounts.
+	localUserAccountsMu sync.RWMutex
+	localUserAccounts   map[string][]jamfpro.ComputerInventorySubsetLocalUserAccount
+}
+
+func NewJamfConnection(id uint32, asset *inventory.Asset, conf *inventory.Config) (*JamfConnection, error) {
+	conn := &JamfConnection{
+		Connection:        plugin.NewConnection(id, asset),
+		Conf:              conf,
+		asset:             asset,
+		localUserAccounts: make(map[string][]jamfpro.ComputerInventorySubsetLocalUserAccount),
+	}
+
+	// Extract credentials and options from conf
+	var clientID, clientSecret, instanceDomain string
+	for _, cred := range conf.Credentials {
+		if cred.Type == vault.CredentialType_password {
+			clientID = cred.User
+			clientSecret = string(cred.Secret)
+		}
+	}
+	if domain, ok := conf.Options["instance_domain"]; ok {
+		instanceDomain = domain
+	}
+
+	// Validate that all necessary credentials are provided
+	if instanceDomain == "" || clientID == "" || clientSecret == "" {
+		return nil, errors.New("missing required Jamf credentials: instance_domain, client_id, client_secret")
+	}
+
+	// Create the configuration container
+	config := &jamfpro.ConfigContainer{
+		LogLevel:       "warn",
+		InstanceDomain: instanceDomain,
+		AuthMethod:     "oauth2",
+		ClientID:       clientID,
+		ClientSecret:   clientSecret,
+	}
+
+	// Initialize the Jamf Pro client with the given configuration
+	client, err := jamfpro.BuildClient(config)
+	if err != nil {
+		return nil, err
+	}
+	conn.Client = client
+	log.Info().Msg("jamf> client initialized using BuildClient with ConfigContainer")
+
+	return conn, nil
+}
+
+func (j *JamfConnection) Name() string {
+	return "jamf"
+}
+
+func (j *JamfConnection) Asset() *inventory.Asset {
+	return j.asset
+}
+
+func (j *JamfConnection) PlatformInfo() (*inventory.Platform, error) {
+	return &inventory.Platform{
+		Name:                  "jamf",
+		Title:                 "Jamf Pro",
+		Family:                []string{"jamf"},
+		Kind:                  "api",
+		Runtime:               "jamf",
+		TechnologyUrlSegments: []string{"api", "jamf"},
+	}, nil
+}
+
+func (j *JamfConnection) Identifier() string {
+	domain := j.Conf.Options["instance_domain"]
+	if i := strings.Index(domain, "://"); i >= 0 {
+		domain = domain[i+3:]
+	}
+	if i := strings.IndexAny(domain, "/?#"); i >= 0 {
+		domain = domain[:i]
+	}
+	return "//platformid.api.mondoo.app/runtime/jamf/" + strings.ToLower(domain)
+}
+
+// CacheLocalUserAccounts stores local user accounts for a computer ID,
+// populated during the initial inventory fetch.
+func (j *JamfConnection) CacheLocalUserAccounts(computerID string, accounts []jamfpro.ComputerInventorySubsetLocalUserAccount) {
+	j.localUserAccountsMu.Lock()
+	defer j.localUserAccountsMu.Unlock()
+	j.localUserAccounts[computerID] = accounts
+}
+
+// GetCachedLocalUserAccounts retrieves cached local user accounts for a
+// computer ID. Returns nil, false if no cache entry exists.
+func (j *JamfConnection) GetCachedLocalUserAccounts(computerID string) ([]jamfpro.ComputerInventorySubsetLocalUserAccount, bool) {
+	j.localUserAccountsMu.RLock()
+	defer j.localUserAccountsMu.RUnlock()
+	accounts, ok := j.localUserAccounts[computerID]
+	return accounts, ok
+}

providers/jamf/connection/connection_test.go

@@ -0,0 +1,127 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package connection
+
+import (
+	"testing"
+
+	"github.com/deploymenttheory/go-api-sdk-jamfpro/sdk/jamfpro"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/vault"
+)
+
+func TestNewJamfConnection_MissingCredentials(t *testing.T) {
+	_, err := NewJamfConnection(0, &inventory.Asset{}, &inventory.Config{
+		Options: map[string]string{},
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing required Jamf credentials")
+}
+
+func TestNewJamfConnection_MissingDomain(t *testing.T) {
+	cred := &vault.Credential{
+		Type:   vault.CredentialType_password,
+		User:   "client-id",
+		Secret: []byte("client-secret"),
+	}
+	_, err := NewJamfConnection(0, &inventory.Asset{}, &inventory.Config{
+		Options:     map[string]string{},
+		Credentials: []*vault.Credential{cred},
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing required Jamf credentials")
+}
+
+func TestNewJamfConnection_MissingClientID(t *testing.T) {
+	_, err := NewJamfConnection(0, &inventory.Asset{}, &inventory.Config{
+		Options: map[string]string{
+			"instance_domain": "https://example.jamfcloud.com",
+		},
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing required Jamf credentials")
+}
+
+func TestJamfConnection_PlatformInfo(t *testing.T) {
+	conn := &JamfConnection{}
+	platform, err := conn.PlatformInfo()
+	require.NoError(t, err)
+	assert.Equal(t, "jamf", platform.Name)
+	assert.Equal(t, "Jamf Pro", platform.Title)
+	assert.Equal(t, "api", platform.Kind)
+	assert.Equal(t, "jamf", platform.Runtime)
+	assert.Equal(t, []string{"jamf"}, platform.Family)
+}
+
+func TestJamfConnection_Identifier(t *testing.T) {
+	conn := &JamfConnection{
+		Conf: &inventory.Config{
+			Options: map[string]string{
+				"instance_domain": "https://MyCompany.jamfcloud.com",
+			},
+		},
+	}
+	id := conn.Identifier()
+	assert.Equal(t, "//platformid.api.mondoo.app/runtime/jamf/mycompany.jamfcloud.com", id)
+}
+
+func TestJamfConnection_IdentifierBareHostname(t *testing.T) {
+	conn := &JamfConnection{
+		Conf: &inventory.Config{
+			Options: map[string]string{
+				"instance_domain": "MyCompany.jamfcloud.com",
+			},
+		},
+	}
+	id := conn.Identifier()
+	assert.Equal(t, "//platformid.api.mondoo.app/runtime/jamf/mycompany.jamfcloud.com", id)
+}
+
+func TestJamfConnection_IdentifierStripsPath(t *testing.T) {
+	conn := &JamfConnection{
+		Conf: &inventory.Config{
+			Options: map[string]string{
+				"instance_domain": "https://mycompany.jamfcloud.com/extra/path",
+			},
+		},
+	}
+	id := conn.Identifier()
+	assert.Equal(t, "//platformid.api.mondoo.app/runtime/jamf/mycompany.jamfcloud.com", id)
+}
+
+func TestJamfConnection_Name(t *testing.T) {
+	conn := &JamfConnection{}
+	assert.Equal(t, "jamf", conn.Name())
+}
+
+func TestJamfConnection_LocalUserAccountsCache(t *testing.T) {
+	conn := &JamfConnection{
+		localUserAccounts: make(map[string][]jamfpro.ComputerInventorySubsetLocalUserAccount),
+	}
+
+	// Cache should be empty initially
+	_, ok := conn.GetCachedLocalUserAccounts("123")
+	assert.False(t, ok)
+
+	// After caching, should return data
+	testAccounts := []jamfpro.ComputerInventorySubsetLocalUserAccount{
+		{UID: "501", Username: "admin", Admin: true},
+		{UID: "502", Username: "user1", Admin: false},
+	}
+	conn.CacheLocalUserAccounts("123", testAccounts)
+
+	cached, ok := conn.GetCachedLocalUserAccounts("123")
+	assert.True(t, ok)
+	require.Len(t, cached, 2)
+	assert.Equal(t, "admin", cached[0].Username)
+	assert.True(t, cached[0].Admin)
+	assert.Equal(t, "user1", cached[1].Username)
+	assert.False(t, cached[1].Admin)
+
+	// Different ID should miss cache
+	_, ok = conn.GetCachedLocalUserAccounts("456")
+	assert.False(t, ok)
+}

providers/jamf/gen/main.go

@@ -0,0 +1,13 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package main
+
+import (
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin/gen"
+	"go.mondoo.com/mql/v13/providers/jamf/config"
+)
+
+func main() {
+	gen.CLI(&config.Config)
+}