No Fools here! — Enjoy 35% off on all Individual annual plans with coupon ‘FOOLPROOF35’

4 Query Tools That Every Developer Should Know

PUBLISHED:
September 14, 2022
|
BY:
Abhay Bhargav
Ideal for
Developer

Have you noticed a predominant trend- that many infosec tools are now query tools? Query tools often allow you to utilize SQL, YAML, or some DSL to compose queries. The tool translates these queries into parameters supplied into some API for $environment, such as your operating system, cloud environment, source code, and so on, to generate findings. 

 

Here are some of my favorite query tools/ infosec labs that I think you should know about! 

While you’re at it, check out some of the best appsec labs for you to sharpen your skills.

 

1. Osquery:

Let's start with osquery. It is an outstanding query tool for the OS and one of the first I came across. osquery works across OS platforms and is widely used for DevOps, compliance, threat hunting, and other purposes. SQL allows you to query OS properties and configurations. 

 

2.  CodeQL

Next, we have CodeQL, which was the first to impress me in the SAST segment. This is also a SQL-based query tool parses the source code's AST (abstract syntax tree) to discover vulnerabilities based on the requested patterns. 

 

3. SemGrep:

In SAST, I've recently been loving Semgrep. It makes SAST extremely strong by combining the simplicity of grep expressions with YAML. Scaling SAST across a huge codebase becomes easier and more accurate with Semgrep's pattern syntax.  

 

4.Steampipe:

 Lastly, I've been highly impressed with Steampipe, which allows you to query your cloud environment for security flaws using SQL. I enjoy the pre-built rule sets they provide. 

 

I prefer query tools for security analysis since they allow me to utilize pre-made queries or write my own for the use cases I need and want. It equips me with speed and versatility, making it ideal for integrating into a pipeline. 

AppSec Training for Developers has never been easier, especially with our Hands-on appsec labs and playgrounds.!

Never Stop Learning!

Abhay Bhargav

Blog Author
Abhay builds AI-native infrastructure for security teams operating at modern scale. His work blends offensive security, applied machine learning, and cloud-native systems focused on solving the real-world gaps that legacy tools ignore. With over a decade of experience across red teaming, threat modeling, detection engineering, and ML deployment, Abhay has helped high-growth startups and engineering teams build security that actually works in production, not just on paper.

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Started Now
X
X
Copyright AppSecEngineer © 2025