Sample queries

What RDS instances are installed in my AWS accounts?

MATCH (aws:AWSAccount)-[r:RESOURCE]->(rds:RDSInstance)
return *

Which RDS instances have encryption turned off?

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance{storage_encrypted:false})

Which EC2 instances are exposed (directly or indirectly) to the internet?

MATCH (instance:EC2Instance{exposed_internet: true})
RETURN instance.instanceid, instance.publicdnsname

Which ELB LoadBalancers are internet accessible?

MATCH (elb:LoadBalancer{exposed_internet: true})—->(listener:ELBListener)
RETURN elb.dnsname, listener.port
ORDER by elb.dnsname, listener.port

Which ELBv2 LoadBalancerV2s (Application Load Balancers) are internet accessible?

MATCH (elbv2:LoadBalancerV2{exposed_internet: true})—->(listener:ELBV2Listener)
RETURN elbv2.dnsname, listener.port
ORDER by elbv2.dnsname, listener.port

Which S3 buckets have a policy granting any level of anonymous access to the bucket?

MATCH (s:S3Bucket)
WHERE s.anonymous_access = true

How many unencrypted RDS instances do I have in all my AWS accounts?

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance)
WHERE rds.storage_encrypted = false
return as AWSAccount, count(rds) as UnencryptedInstances

What users have the TotallyFake Chrome extension installed?

MATCH (u:GSuiteUser)-[r:INSTALLS]->(ext:ChromeExtension)
return, ext.version,

What users have installed extensions that are risky based on CRXcavator scoring?

Risk > 200 is evidence of 3 or more critical risks or many high risks in the extension.

MATCH (u:GSuiteUser)-[r:INSTALLS]->(ext:ChromeExtension)
WHERE ext.risk_total > 200
return, ext.version,

What languages are used in a given GitHub repository?

MATCH (:GitHubRepository{name:"myrepo"})-[:LANGUAGE]->(lang:ProgrammingLanguage)

What are the dependencies used in a given GitHub repository?

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency)
RETURN, edge.specifier, dep.version

If you want to filter to just e.g. Python libraries:

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency:PythonLibrary)
RETURN, edge.specifier, dep.version

Given a dependency, which GitHub repos depend on it?

Using boto3 as an example dependency:

MATCH (dep:Dependency:PythonLibrary{name:"boto3"})<-[req:REQUIRES]-(repo:GitHubRepository)
RETURN, req.specifier, dep.version

What are all the dependencies used across all GitHub repos?

Just the list of dependencies and their versions:

MATCH (dep:Dependency)
RETURN DISTINCT AS name, dep.version AS version

With info about which repos are using them:

MATCH (repo:GitHubRepository)-[edge:REQUIRES]->(dep:Dependency)
RETURN,, edge.specifier, dep.version

Lyft ingests this information into our internal data stack, which has enabled us to throw BI tooling on top for easy reporting - this is highly recommended!