Skip to content

⭐ add mql inventory validate to catch unknown connection options#8447

Open
chris-rock wants to merge 3 commits into
mainfrom
feat/inventory-validate
Open

⭐ add mql inventory validate to catch unknown connection options#8447
chris-rock wants to merge 3 commits into
mainfrom
feat/inventory-validate

Conversation

@chris-rock

Copy link
Copy Markdown
Member

Problem

A connection's options in an inventory file are a free-form map[string]string. A mistyped key — namespace instead of namespaces, tenantId instead of tenant-id, subscription-id (no such flag) instead of subscription — is silently ignored. There is no way to check an inventory before a scan, so the mistake only surfaces as a confusing connect-time failure, or as a setting that quietly never took effect.

What this adds

A new mql inventory validate <file> command. It parses the inventory and checks each asset connection against the providers installed on the system:

  • Unknown connection type — a type no installed provider provides is reported.
  • Unknown option key — an options key not declared by the resolving provider's connector flags is reported. The flag Long names are the authoritative set of option keys, since providers read conf.Options[flag.Long].
$ mql inventory validate prod.yaml
warning: unknown option "namespace" for connection type "k8s" (asset cluster, connection 0)
warning: unknown option "tenntid" for connection type "azure" (asset cluster, connection 1)
inventory "prod.yaml" passed with 2 warning(s); use --strict to fail on warnings

Findings are warnings by default and become errors under --strict (non-zero exit), so the command can gate inventories in CI without false-failing on a provider that simply isn't installed on the local machine. Validation is offline — it reads each provider's static plugin metadata via providers.ListAll() and never connects to a target.

Design

  • The check logic lives in a new cli/inventoryvalidate package, driven by a Schema built from provider metadata (BuildSchema([]*plugin.Provider)). Keeping the schema as an input makes Check unit-testable with hand-built providers — no provider needs to be installed to run the tests.
  • A type's allowed option keys are the union of its provider's connector flags, which avoids false positives for providers that expose several connectors. The default warning severity is a deliberate hedge: if a provider ever reads an option it doesn't declare as a flag, the user sees a warning rather than a hard failure.

Tests

cli/inventoryvalidate/validate_test.go covers schema resolution (type, connector name, alias), valid options, unknown options, --strict promotion, unknown types, nil-safety, and asset-label fallback. go vet and golangci-lint are clean; manually smoke-tested against good/typo'd/unknown-type inventories and a missing file.

🤖 Generated with Claude Code

Inventory `options` are a free-form string map: a mistyped key (e.g.
`namespace` instead of `namespaces`, or `tenantId` instead of `tenant-id`) is
silently ignored and only surfaces as a confusing connect-time failure, if at
all. There is no way to check an inventory file before using it.

This adds `mql inventory validate <file>`, which parses the inventory and
checks each asset connection against the providers installed on the system:

- connection types not provided by any installed provider are reported;
- option keys not declared by the resolving provider's connector flags are
  reported (the flag long names are the authoritative set of option keys, since
  providers read `conf.Options[flag.Long]`).

Findings are warnings by default and become errors under `--strict`, so the
command can gate inventories in CI without false-failing on providers that
happen not to be installed locally. Validation is offline — it reads each
provider's static plugin metadata and never connects.

The check logic lives in a new `cli/inventoryvalidate` package and is driven by
a schema built from provider metadata, so it is unit-tested without requiring
any provider to be installed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New mql inventory validate command correctly validates inventory files against provider schemas.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Test Results

9 981 tests  +7   9 975 ✅ +7   4m 42s ⏱️ + 1m 29s
  544 suites +1       6 💤 ±0 
   40 files   ±0       0 ❌ ±0 

Results for commit 7b8cb95. ± Comparison against base commit 788f38b.

♻️ This comment has been updated with latest results.

chris-rock and others added 2 commits June 15, 2026 15:35
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@tas50 tas50 changed the title feat: add mql inventory validate to catch unknown connection options ⭐ add mql inventory validate to catch unknown connection options Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant