mondoohq · arlimus · Feb 19, 2026 · Jan 29, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/.goreleaser-edge.yml b/.github/.goreleaser-edge.yml
@@ -3,16 +3,16 @@
 
 ---
 version: 2
-project_name: cnquery
+project_name: mql
 env:
   - CGO_ENABLED=0
 before:
   hooks:
     - make providers
 builds:
   - id: linux
-    main: ./apps/cnquery/cnquery.go
-    binary: cnquery
+    main: ./apps/mql/mql.go
+    binary: mql
     goos:
       - linux
     goarch:
@@ -31,7 +31,7 @@ builds:
       - -tags="production netgo"
     ldflags:
       - "-extldflags=-static"
-      - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}}
+      - -s -w -X go.mondoo.com/mql/v13.Version={{.Version}} -X go.mondoo.com/mql/v13.Build={{.ShortCommit}} -X go.mondoo.com/mql/v13.Date={{.Date}}
 checksum:
   name_template: '{{ .ProjectName }}_v{{ .Version }}_SHA256SUMS'
   algorithm: sha256

diff --git a/.github/.goreleaser-unstable.yml b/.github/.goreleaser-unstable.yml
@@ -3,16 +3,16 @@
 
 ---
 version: 2
-project_name: cnquery
+project_name: mql
 env:
   - CGO_ENABLED=0
 before:
   hooks:
     - make providers
 builds:
   - id: linux
-    main: ./apps/cnquery/cnquery.go
-    binary: cnquery
+    main: ./apps/mql/mql.go
+    binary: mql
     goos:
       - linux
     goarch:
@@ -31,10 +31,10 @@ builds:
       - -tags="production netgo"
     ldflags:
       - "-extldflags=-static"
-      - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}}
+      - -s -w -X go.mondoo.com/mql/v13.Version={{.Version}} -X go.mondoo.com/mql/v13.Build={{.ShortCommit}} -X go.mondoo.com/mql/v13.Date={{.Date}}
   - id: macos
-    main: ./apps/cnquery/cnquery.go
-    binary: cnquery
+    main: ./apps/mql/mql.go
+    binary: mql
     goos:
       - darwin
     goarch:
@@ -43,15 +43,15 @@ builds:
     flags: -tags production
     ldflags:
       # clang + macos does not support static: - -extldflags "-static"
-      - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}}
+      - -s -w -X go.mondoo.com/mql/v13.Version={{.Version}} -X go.mondoo.com/mql/v13.Build={{.ShortCommit}} -X go.mondoo.com/mql/v13.Date={{.Date}}
     hooks:
       post:
         - cmd: /tmp/quill sign-and-notarize "{{ .Path }}" -vv || true
           env:
             - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log
   - id: windows
-    main: ./apps/cnquery/cnquery.go
-    binary: cnquery
+    main: ./apps/mql/mql.go
+    binary: mql
     goos:
       - windows
     goarch:
@@ -61,7 +61,7 @@ builds:
     flags: -tags production -buildmode exe
     ldflags:
       - "-extldflags -static"
-      - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}}
+      - -s -w -X go.mondoo.com/mql/v13.Version={{.Version}} -X go.mondoo.com/mql/v13.Build={{.ShortCommit}} -X go.mondoo.com/mql/v13.Date={{.Date}}
     hooks:
       post:
         - cmd: jsign --storetype TRUSTEDSIGNING --keystore {{ .Env.TSIGN_AZURE_ENDPOINT }} --storepass {{ .Env.TSIGN_ACCESS_TOKEN }} --alias {{ .Env.TSIGN_ACCOUNT_NAME }}/{{ .Env.TSIGN_CERT_PROFILE_NAME }} '{{ .Path }}'
@@ -276,3 +276,7 @@ docker_manifests:  # https://goreleaser.com/customization/docker_manifest/
       - mondoo/{{ .ProjectName }}:{{ .Version }}-arm64v8-rootless
       - mondoo/{{ .ProjectName }}:{{ .Version }}-armv6-rootless
       - mondoo/{{ .ProjectName }}:{{ .Version }}-armv7-rootless
+release:
+  replace_existing_artifacts: true
+  make_latest: false
+  prerelease: true
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -99,7 +99,7 @@ mfs
 mgroup
 minfree
 mkey
-mpim
+Mpim
 naflags
 natgateway
 networkinterface

diff --git a/.github/images/cnquery-scan.gif b/.github/images/cnquery-scan.gif
diff --git a/.github/images/cnquery-dark.svg → .github/images/mql-dark.svg b/.github/images/cnquery-dark.svg → .github/images/mql-dark.svg
diff --git a/.github/images/cnquery-light.svg → .github/images/mql-light.svg b/.github/images/cnquery-light.svg → .github/images/mql-light.svg
diff --git a/.github/images/cnquery-run.gif → .github/images/mql-run.gif b/.github/images/cnquery-run.gif → .github/images/mql-run.gif
diff --git a/.github/pr-body-providers.md b/.github/pr-body-providers.md
@@ -1,4 +1,4 @@
 Created by Mondoo Tools via GitHub Actions
 
 Workflow:
-https://github.com/mondoohq/cnquery/actions/workflows/release-providers.yaml
+https://github.com/mondoohq/mql/actions/workflows/release-providers.yaml
diff --git a/.github/pr-body.md b/.github/pr-body.md
@@ -1,4 +1,4 @@
 Created by Mondoo Tools via GitHub Actions
 
 Workflow:
-https://github.com/mondoohq/cnquery/actions/workflows/update-deps.yaml
+https://github.com/mondoohq/mql/actions/workflows/update-deps.yaml
diff --git a/.github/workflows/goreleaser-edge.yml b/.github/workflows/goreleaser-edge.yml
@@ -5,6 +5,12 @@ on:
     branches:
       - "main"
   workflow_dispatch:
+    inputs:
+      upload-artifacts:
+        description: "Upload artifacts to workflow"
+        required: false
+        default: false
+        type: boolean
 
 env:
   REGISTRY: docker.io
@@ -65,3 +71,11 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Upload artifacts
+        if: ${{ inputs.upload-artifacts == true }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: mql-edge-linux
+          path: dist/mql*
+          retention-days: 7
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -26,6 +26,16 @@ on:
         required: false
         default: false
         type: boolean
+      skip-cnspec-bump:
+        description: "Skip triggering mql version bump in cnspec"
+        required: false
+        default: true
+        type: boolean
+      make-latest:
+        description: "Mark GitHub release as 'latest'"
+        required: false
+        default: true
+        type: boolean
 
 env:
   REGISTRY: docker.io
@@ -52,13 +62,16 @@ jobs:
           fetch-depth: 0
 
       - name: Dump all inputs
-        run: echo "${{ toJSON(inputs) }}"
-
-      - name: Skip Publish for Alpha and Beta Tags
+        run: |
+          echo "${{ toJSON(inputs) }}"
+          echo "github.ref: ${{ github.ref }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "github.event_name: ${{ github.event_name }}"
+      - name: Skip Publish for non-release tags
         id: skip-publish
-        if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true
+        if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'pre') || contains(github.ref, 'rc') || inputs.skip-publish == true
         run: |
-          echo "Skipping publish for alpha and beta tags"
+          echo "Skipping publish for non-release tags"
           echo "skip-publish=true" >> $GITHUB_OUTPUT
           echo "skip-publish=true" >> $GITHUB_ENV
 
@@ -136,8 +149,8 @@ jobs:
       # This is because a goreleaser dep was changed to https://github.com/goreleaser/nfpm/releases/tag/v2.41.2
       # created a discussion on the issue here https://github.com/orgs/goreleaser/discussions/5943
 
-      - name: Run GoReleaser (w/ Docker Release)
-        if: ${{ inputs.skip-publish != true }}
+      - name: Run GoReleaser and promote latest
+        if: ${{ inputs.skip-publish != true && steps.skip-publish.outputs.skip-publish != 'true' }}
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser
@@ -160,9 +173,10 @@ jobs:
           TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
           TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
           TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
+          MAKE_LATEST: ${{ inputs.make-latest == false && 'false' || 'true' }}
 
-      - name: Run GoReleaser (w/o Docker Release)
-        if: ${{ inputs.skip-publish == true }}
+      - name: Run GoReleaser without promoting 'latest'
+        if: ${{ inputs.skip-publish == true || steps.skip-publish.outputs.skip-publish == 'true' }}
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser
@@ -186,6 +200,7 @@ jobs:
           TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
           TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
           TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
+          MAKE_LATEST: ${{ inputs.make-latest == false && 'false' || 'true' }}
 
       - name: Check RPMs
         run: |
@@ -209,15 +224,15 @@ jobs:
           retention-days: 7
 
       # At this point we know the docker container is published.
-      # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec.
+      # We can now trigger the mql bump in cnspec, which will also trigger the release of cnspec.
       # The docker container is a pre-requisite for cnspec release.
-      - name: Trigger cnquery bump in cnspec
-        if: ${{ inputs.skip-publish != true }}
+      - name: Trigger mql bump in cnspec
+        if: ${{ inputs.skip-publish != true && inputs.skip-cnspec-bump != true && inputs.make-latest != false }}
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.RELEASR_ACTION_TOKEN }}
           repository: "mondoohq/cnspec"
-          event-type: update-cnquery
+          event-type: update-mql
           client-payload: '{
             "version": "${{  github.ref_name }}"
             }'
diff --git a/.github/workflows/main-benchmark.yml b/.github/workflows/main-benchmark.yml
diff --git a/.github/workflows/pr-test-generated-files.yaml b/.github/workflows/pr-test-generated-files.yaml
@@ -52,7 +52,7 @@ jobs:
         run: |
           protoc --version
           make prep
-          make cnquery/generate
+          make mql/generate
           SKIP_COMPILE=yes make providers/build
           git diff --exit-code *.go
           git diff --exit-code providers/**/*.lr.json

diff --git a/.github/workflows/pr-test-lint.yml b/.github/workflows/pr-test-lint.yml
@@ -94,7 +94,7 @@ jobs:
       - name: Display Provider PAth
         run: echo $PROVIDERS_PATH
 
-      - name: Test cnquery
+      - name: Test mql
         run: make test/go/plain-ci
 
       - name: Test Providers
@@ -131,7 +131,7 @@ jobs:
       - name: Display Provider PAth
         run: echo $PROVIDERS_PATH
 
-      - name: Test cnquery CLI and Providers
+      - name: Test mql CLI and Providers
         run: make test/integration
 
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -158,54 +158,9 @@ jobs:
       - name: Run race detector on selected packages
         run: make race/go
 
-  go-bench:
-    runs-on: ubuntu-latest
-    if: github.ref != 'refs/heads/main'
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Import environment variables from file
-        run: cat ".github/env" >> $GITHUB_ENV
-      - name: Install Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ">=${{ env.golang-version }}"
-          cache: false
-      - name: Run benchmark
-        run: make benchmark/go | tee benchmark.txt
-
-        # Remove log statements and leave just the benchmark results
-      - name: Cleanup benchmark file
-        run: sed -i -n '/goos:/,$p' benchmark.txt
-
-      # Download previous benchmark result from cache (if exists)
-      - name: Download previous benchmark data
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-        with:
-          path: ./cache
-          key: ${{ runner.os }}-benchmark-${{ github.run_id }}
-          restore-keys: |
-            ${{ runner.os }}-benchmark-
-      # Run `github-action-benchmark` action
-      - name: Store benchmark result
-        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
-        with:
-          # What benchmark tool the output.txt came from
-          tool: "go"
-          # Where the output from the benchmark tool is stored
-          output-file-path: benchmark.txt
-          # Where the previous data file is stored
-          external-data-json-path: ./cache/benchmark-data.json
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          comment-on-alert: true
-          summary-always: true
-          fail-on-alert: true
-          save-data-file: false
-          alert-threshold: "150%"
-
   go-auto-approve:
     runs-on: ubuntu-latest
-    needs: [golangci-lint, golangci-lint-providers, go-test, go-test-integration, go-bench, go-mod]
+    needs: [golangci-lint, golangci-lint-providers, go-test, go-test-integration, go-mod]
     # For now, we only auto approve and merge provider release PRs created by mondoo-tools.
     # We have to check the commit author, because the PR is created by "github-actions[bot]"
     # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#startswith
-Original file line number
+Diff line change
@@ Expand Up / @@ -99,7 +99,7 @@ mfs @@
     mgroup
     minfree
     mkey
-    mpim
+    Mpim
     naflags
     natgateway
     networkinterface
@@ Expand Down @@