Operators¶
Operators define the type of comparison between the field and the value element. Some operators only work with a single value, while others can work with multiple.
Equals (=)¶
Use the = (equals) operator to list all items where there is an exact match between the field and the value elements. Note that the value type must also match.
The equals operator can compare simple data types like numbers (42, 3.14), strings ("some string") but also special data types
such as boolean (TRUE and FALSE), enums (severity values like HIGH, MEDIUM or LOW), or the Null value (NULL). The below is an example for simple query using the equals operator:
The query finds all HardcodedAccountPasswordIssue values with no plaintext passwords.
Note
The equals operator only lists exact matches. To list partial matches, use the =~ (matches) or the CONTAINS operator if the value is a string. For numeric data, you can use the greater than/less than operators (< / >) with the keyword AND.
You can search for multiple values either by using equals with the OR keyword, or by using the In operator.
Not equals (!=)¶
Use the != (not equals) operator to list all items where there is no exact match between the field and value elements. In other words, the not equals operator is the negation of the equals operator.
For example, to search for all non-critical severity issues:
Alternatively, you can use the NOT keyword:
Greater than (>)¶
Use the > (greater than) operator to list all objects whose value is greater than the specified threshold.
For example, to find all instances of CertificateKeyLengthIssue where the key length is greater than 1024 bits, use the following query:
Note
The > operator can only be used with fields that support ordering such as numeric fields.
Greater than equals (>=)¶
Use the >= (greater than equals) operator to list all objects whose value is greater than or equal to the specified threshold.
For example, to find all instances of CertificateKeyLengthIssue where the key length is greater than or equal to 1024 bits, use the following query:
Note
The >= operator can only be used with fields that support ordering such as numeric fields.
Less than (<)¶
Use the < (less than) operator to list all objects whose value is less than the specified threshold.
For example, to find all instances of CertificateKeyLengthIssue where the key length is less than 1024 bits, use the following query:
Note
The < operator can only be used with fields that support ordering such as numeric fields.
Less than equals (<=)¶
Use the <= (less than equals) operator to list all objects whose value is less than or equal to the specified threshold.
For example to find CertificateKeyLengthIssue where the key length is less than equals 1024 bits:
Note
The <= operator can only be used with fields that support ordering such as numeric fields.
Matches (=~)¶
Use the =~ (matches) operator to list all objects that partially or fully match the specified value. The query uses Python's regular expression (regex) so the value element must be a valid regex.
For example, you can use the following query to find AuthorizedKeyIssue where the set authorized key has a command restriction:
If your query contains a regex control character such as \ , *, ?, or +, use a \ to escape it:
Not matches (!~)¶
Use the !~ (not matches) operator to list all objects where there is no partial or full match with the specified value. In other words, the Not matches operator is the negation of the matches operator. The query uses Python's regular expression (regex) so the value element must be a valid regex.
For example to list all instances of CertificateKeyLengthIssue with non rsa key types:
Alternatively, you can use the NOT keyword:
If your query contains a regex control character such as \, *, ?, or +, use a \ to escape it:
In (IN)¶
Use the IN operator to list all items where there is an exact match between the field and the value elements. It works similarly to the equals operator, but with a slightly different syntax: it can only work with vector values. For more information on how to work with vectors, see Vector.
For example to find all issues with HIGH or CRITICAL severity, use:
Alternatively, you can use the = operator with the OR keyword:
Similarly to the equals operator, IN can compare simple data types like numbers (42, 3.14), strings ("some string") but also special data types such as boolean (TRUE and FALSE), and enums (severity values like HIGH, MEDIUM or LOW).
Warning
IN does not support the NULL value.
Not in (NOT IN)¶
Use the NOT IN operator to list all items where there is no exact match between the field and value elements. In other words, the not in operator is the negation of the in operator. It works similarly to the not equals operator, but with a slightly different syntax: it can only work with vector values. For more information on how to work with vectors, see Vector.
For example, the below query searches for all issues which were detected in files other than passwd and shadow:
Alternatively, you can use the != operator with the OR keyword:
Or you can use the 'NOT' keyword:
Contains (CONTAINS)¶
Use the CONTAINS operator to list all objects that partially or fully match the specified string. It works similarly to the =~ (matches) operator, but it can only search for string values.
For example, you can use the following query to find AuthorizedKeyIssue where the set authorized key has a command restriction:
Not contains (NOT CONTAINS)¶
Use the NOT CONTAINS operator to list all objects where there is no partial or full match with the specified string. In other words, the not contains operator is the negation of the contains operator. It works similarly to !~ (not matches) , but it can only search for string values.
For example, to find all instances of HardcodedAccountPasswordIssue where the username is not root:
Alternatively, you can use the NOT keyword: