CloudQuery
@cloudquery.bsky.social
Data pipelines for cloud config and security data. Build cloud asset inventory, CSPM, FinOps, and vulnerability management solutions. Extract from AWS, Azure, GCP, and 70+ cloud and SaaS sources.
Works with Okta or Azure AD. Same SQL pattern, different identity source.
Export to CSV for auditors or import into your GRC platform.
Full tutorial: https://www.cloudquery.io/blog/find-commits-by-departed-employees-with-sql
Export to CSV for auditors or import into your GRC platform.
Full tutorial: https://www.cloudquery.io/blog/find-commits-by-departed-employees-with-sql
January 15, 2026 at 3:15 PM
Works with Okta or Azure AD. Same SQL pattern, different identity source.
Export to CSV for auditors or import into your GRC platform.
Full tutorial: https://www.cloudquery.io/blog/find-commits-by-departed-employees-with-sql
Export to CSV for auditors or import into your GRC platform.
Full tutorial: https://www.cloudquery.io/blog/find-commits-by-departed-employees-with-sql
Focus on recent commits. Code from departed employees in the last 90 days may indicate offboarding timing issues. Or warrant immediate security review.
January 15, 2026 at 3:15 PM
Focus on recent commits. Code from departed employees in the last 90 days may indicate offboarding timing issues. Or warrant immediate security review.
The query catches:
→ DEPROVISIONED (former employee)
→ SUSPENDED (on leave)
→ NOT_FOUND (never in IdP - contractor? personal email?)
Prioritize by recency and commit count.
→ DEPROVISIONED (former employee)
→ SUSPENDED (on leave)
→ NOT_FOUND (never in IdP - contractor? personal email?)
Prioritize by recency and commit count.
January 15, 2026 at 3:15 PM
The query catches:
→ DEPROVISIONED (former employee)
→ SUSPENDED (on leave)
→ NOT_FOUND (never in IdP - contractor? personal email?)
Prioritize by recency and commit count.
→ DEPROVISIONED (former employee)
→ SUSPENDED (on leave)
→ NOT_FOUND (never in IdP - contractor? personal email?)
Prioritize by recency and commit count.
With CloudQuery, join commit history against your identity provider:
SELECT gc.*, u.status
FROM git_commits gc
LEFT JOIN okta_users u
ON gc.author_email = u.email
WHERE u.status != 'ACTIVE'
SELECT gc.*, u.status
FROM git_commits gc
LEFT JOIN okta_users u
ON gc.author_email = u.email
WHERE u.status != 'ACTIVE'
January 15, 2026 at 3:15 PM
With CloudQuery, join commit history against your identity provider:
SELECT gc.*, u.status
FROM git_commits gc
LEFT JOIN okta_users u
ON gc.author_email = u.email
WHERE u.status != 'ACTIVE'
SELECT gc.*, u.status
FROM git_commits gc
LEFT JOIN okta_users u
ON gc.author_email = u.email
WHERE u.status != 'ACTIVE'
The manual approach:
→ Export HR data
→ Clone repos
→ Run git log
→ Correlate email addresses
→ Compile spreadsheets
Repeat quarterly for SOC 2.
→ Export HR data
→ Clone repos
→ Run git log
→ Correlate email addresses
→ Compile spreadsheets
Repeat quarterly for SOC 2.
January 15, 2026 at 3:15 PM
The manual approach:
→ Export HR data
→ Clone repos
→ Run git log
→ Correlate email addresses
→ Compile spreadsheets
Repeat quarterly for SOC 2.
→ Export HR data
→ Clone repos
→ Run git log
→ Correlate email addresses
→ Compile spreadsheets
Repeat quarterly for SOC 2.
Run monthly to catch new repos created without LICENSE files. Export to CSV for legal review or join with GitHub org data to identify owners.
Full tutorial: https://www.cloudquery.io/blog/find-repos-missing-license-files-with-sql
Full tutorial: https://www.cloudquery.io/blog/find-repos-missing-license-files-with-sql
January 14, 2026 at 3:15 PM
Run monthly to catch new repos created without LICENSE files. Export to CSV for legal review or join with GitHub org data to identify owners.
Full tutorial: https://www.cloudquery.io/blog/find-repos-missing-license-files-with-sql
Full tutorial: https://www.cloudquery.io/blog/find-repos-missing-license-files-with-sql
The glob pattern `**/LICENSE*` catches variations:
→ LICENSE.txt
→ LICENSE.md
→ LICENCE (British spelling)
→ LICENSE-MIT
Check the `name` column to see exact filenames.
→ LICENSE.txt
→ LICENSE.md
→ LICENCE (British spelling)
→ LICENSE-MIT
Check the `name` column to see exact filenames.
January 14, 2026 at 3:15 PM
The glob pattern `**/LICENSE*` catches variations:
→ LICENSE.txt
→ LICENSE.md
→ LICENCE (British spelling)
→ LICENSE-MIT
Check the `name` column to see exact filenames.
→ LICENSE.txt
→ LICENSE.md
→ LICENCE (British spelling)
→ LICENSE-MIT
Check the `name` column to see exact filenames.
Legal says "no GPL in production code"?
Query for repos with GPL licenses owned by your org. Filter by team, by repo pattern, by creation date. SQL makes compliance checks composable.
Query for repos with GPL licenses owned by your org. Filter by team, by repo pattern, by creation date. SQL makes compliance checks composable.
January 14, 2026 at 3:15 PM
Legal says "no GPL in production code"?
Query for repos with GPL licenses owned by your org. Filter by team, by repo pattern, by creation date. SQL makes compliance checks composable.
Query for repos with GPL licenses owned by your org. Filter by team, by repo pattern, by creation date. SQL makes compliance checks composable.
But wait, there's more than just "missing or not."
Parse LICENSE content to classify types:
→ MIT
→ Apache-2.0
→ GPL
→ BSD
One query gives you license inventory across all repos.
Parse LICENSE content to classify types:
→ MIT
→ Apache-2.0
→ GPL
→ BSD
One query gives you license inventory across all repos.
January 14, 2026 at 3:15 PM
But wait, there's more than just "missing or not."
Parse LICENSE content to classify types:
→ MIT
→ Apache-2.0
→ GPL
→ BSD
One query gives you license inventory across all repos.
Parse LICENSE content to classify types:
→ MIT
→ Apache-2.0
→ GPL
→ BSD
One query gives you license inventory across all repos.
The Git Source Plugin syncs LICENSE files into your database. Query for missing licenses across your entire org:
SELECT gr.full_name FROM git_repositories gr
LEFT JOIN git_files gf ON gf.name = 'LICENSE'
WHERE gf.repository_url IS NULL
SELECT gr.full_name FROM git_repositories gr
LEFT JOIN git_files gf ON gf.name = 'LICENSE'
WHERE gf.repository_url IS NULL
January 14, 2026 at 3:15 PM
The Git Source Plugin syncs LICENSE files into your database. Query for missing licenses across your entire org:
SELECT gr.full_name FROM git_repositories gr
LEFT JOIN git_files gf ON gf.name = 'LICENSE'
WHERE gf.repository_url IS NULL
SELECT gr.full_name FROM git_repositories gr
LEFT JOIN git_files gf ON gf.name = 'LICENSE'
WHERE gf.repository_url IS NULL
Run weekly to catch new Dockerfiles with EOL images before they hit production. Incremental sync means you're only updating changed files.
Full tutorial with SQL examples:
https://www.cloudquery.io/blog/query-dockerfiles-for-eol-base-images-with-sql
Full tutorial with SQL examples:
https://www.cloudquery.io/blog/query-dockerfiles-for-eol-base-images-with-sql
January 13, 2026 at 3:15 PM
Run weekly to catch new Dockerfiles with EOL images before they hit production. Incremental sync means you're only updating changed files.
Full tutorial with SQL examples:
https://www.cloudquery.io/blog/query-dockerfiles-for-eol-base-images-with-sql
Full tutorial with SQL examples:
https://www.cloudquery.io/blog/query-dockerfiles-for-eol-base-images-with-sql
Join with GitHub repository data to identify owners automatically. Create tracking issues without manual research.
SELECT ei.*, gr.owner
FROM eol_images ei
JOIN git_repositories gr ON ...
SELECT ei.*, gr.owner
FROM eol_images ei
JOIN git_repositories gr ON ...
January 13, 2026 at 3:15 PM
Join with GitHub repository data to identify owners automatically. Create tracking issues without manual research.
SELECT ei.*, gr.owner
FROM eol_images ei
JOIN git_repositories gr ON ...
SELECT ei.*, gr.owner
FROM eol_images ei
JOIN git_repositories gr ON ...
Same pattern works for any EOL runtime:
→ Python 2.7
→ Ubuntu 18.04
→ Node 16
→ Any base image you need to track
Combine multiple versions in one query.
→ Python 2.7
→ Ubuntu 18.04
→ Node 16
→ Any base image you need to track
Combine multiple versions in one query.
January 13, 2026 at 3:15 PM
Same pattern works for any EOL runtime:
→ Python 2.7
→ Ubuntu 18.04
→ Node 16
→ Any base image you need to track
Combine multiple versions in one query.
→ Python 2.7
→ Ubuntu 18.04
→ Node 16
→ Any base image you need to track
Combine multiple versions in one query.
The query parses Dockerfile content into lines, extracts FROM statements with regex, and filters for your EOL version.
Works for multi-stage builds too - each FROM statement is captured.
Works for multi-stage builds too - each FROM statement is captured.
January 13, 2026 at 3:15 PM
The query parses Dockerfile content into lines, extracts FROM statements with regex, and filters for your EOL version.
Works for multi-stage builds too - each FROM statement is captured.
Works for multi-stage builds too - each FROM statement is captured.
With the Git Source Plugin, you sync Dockerfile content directly to your database. Then it's one SQL query:
SELECT repository_url, path, image
FROM dockerfiles
WHERE image LIKE 'node:18%'
SELECT repository_url, path, image
FROM dockerfiles
WHERE image LIKE 'node:18%'
January 13, 2026 at 3:15 PM
With the Git Source Plugin, you sync Dockerfile content directly to your database. Then it's one SQL query:
SELECT repository_url, path, image
FROM dockerfiles
WHERE image LIKE 'node:18%'
SELECT repository_url, path, image
FROM dockerfiles
WHERE image LIKE 'node:18%'
The manual approach:
→ Clone hundreds of repos
→ Find all Dockerfiles
→ Parse FROM statements
→ Compile results into spreadsheet
→ Email teams
→ Track remediation
Repeat when the next runtime goes EOL.
→ Clone hundreds of repos
→ Find all Dockerfiles
→ Parse FROM statements
→ Compile results into spreadsheet
→ Email teams
→ Track remediation
Repeat when the next runtime goes EOL.
January 13, 2026 at 3:15 PM
The manual approach:
→ Clone hundreds of repos
→ Find all Dockerfiles
→ Parse FROM statements
→ Compile results into spreadsheet
→ Email teams
→ Track remediation
Repeat when the next runtime goes EOL.
→ Clone hundreds of repos
→ Find all Dockerfiles
→ Parse FROM statements
→ Compile results into spreadsheet
→ Email teams
→ Track remediation
Repeat when the next runtime goes EOL.
Read the full guide with SQL examples for finding EOL images, missing licenses, and stale CODEOWNERS:
https://www.cloudquery.io/blog/introducing-the-git-source-plugin
https://www.cloudquery.io/blog/introducing-the-git-source-plugin
January 12, 2026 at 3:15 PM
Read the full guide with SQL examples for finding EOL images, missing licenses, and stale CODEOWNERS:
https://www.cloudquery.io/blog/introducing-the-git-source-plugin
https://www.cloudquery.io/blog/introducing-the-git-source-plugin
Platform engineering workflows: compliance audits, incident response (which repos have CVE-affected dependencies?), developer experience dashboards, automated alerts for missing required files.
January 12, 2026 at 3:15 PM
Platform engineering workflows: compliance audits, incident response (which repos have CVE-affected dependencies?), developer experience dashboards, automated alerts for missing required files.
Incremental syncs track file SHA hashes. Only fetch changed files on subsequent runs. No local clones means no disk space overhead.
January 12, 2026 at 3:15 PM
Incremental syncs track file SHA hashes. Only fetch changed files on subsequent runs. No local clones means no disk space overhead.
Cross-plugin joins make it powerful. Audit CODEOWNERS against Okta to find ownership gaps when engineers leave. Join git_files with GitHub metadata for complete visibility.
January 12, 2026 at 3:15 PM
Cross-plugin joins make it powerful. Audit CODEOWNERS against Okta to find ownership gaps when engineers leave. Join git_files with GitHub metadata for complete visibility.
We sync three tables: repositories, files (matching your glob patterns), and commits.
Configure patterns like **/Dockerfile*, **/CODEOWNERS, **/package.json. Only sync what you need.
Configure patterns like **/Dockerfile*, **/CODEOWNERS, **/package.json. Only sync what you need.
January 12, 2026 at 3:15 PM
We sync three tables: repositories, files (matching your glob patterns), and commits.
Configure patterns like **/Dockerfile*, **/CODEOWNERS, **/package.json. Only sync what you need.
Configure patterns like **/Dockerfile*, **/CODEOWNERS, **/package.json. Only sync what you need.