Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
What people are saying News Ask around Meetups COMPANY
Origins   (Fleet & osquery) The handbook Logos & artwork Why open source?

Pricing Take a tour
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{categoryFriendlyName}}/
{{thisPage.meta.articleTitle}}
search

osquery 5.11.0 | VSCode, Apple silicon, and more

{{articleSubtitle}}

| The author's GitHub profile picture

JD Strong

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter

On this page

{{topic.title}}
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer
Suggest an editSuggest an edit

Try it out

See what Fleet can do

Start now
macOS Windows Linux

osquery 5.11.0 | VSCode, Apple silicon, and more

{{articleSubtitle}}

| The author's GitHub profile picture

JD Strong

Osquery 5.11.0 | VSCode, Apple silicon, and more.

osquery 5.11.0

Osquery 5.11 introduces enhancements that include the vscode_extensions table for inventorying VSCode extensions, additional Apple Silicon support columns in the secureboot table, Windows shortcut metadata parsing in the file table, and caching mechanisms for macOS keychain tables to prevent corruption. Openness is a key Fleet value. We welcome contributions to Fleet and find ways to contribute to other open-source projects. When you support Fleet, you are also contributing to projects like osquery. Let’s take a look at the changes in this latest release.

Please note that osquery 5.11 has already been pushed to Fleet’s stable and edge auto-update channels.

Highlights

  • VSCode extensions table
  • Apple silicon support added to secureboot table
  • Shortcut metadata parsing on Windows
  • Preventing keychain corruption with smart caching

VSCode extensions table

Osquery introduces a new table named vscode_extensions, which expands the tool's capabilities in inventory management. This addition allows for the enumeration of extensions installed in Visual Studio Code (VSCode), providing valuable insights into the development environments across managed devices. With this table, IT and security teams can efficiently gather detailed information about VSCode extensions, aiding in compliance checks, security assessments, and the overall management of software assets.

Apple silicon support added to secureboot table

The secureboot table in osquery has been updated to include new columns that provide deeper insights into the security configurations of Apple Silicon devices. The added columns are "description," "allow_kernel_extensions," and "allow_mdm_operations," which reflect the settings available in the Startup Security Utility of macOS. This enhancement enables a more detailed analysis of secure boot settings, facilitating better security posture assessments for Apple Silicon devices. This contribution was made by Zach Wasserman, Cofounder of Fleet.

Shortcut metadata parsing on Windows

The file table in osquery has been enhanced to include parsing for shortcut metadata on Windows systems. This update allows for extracting and analyzing information from Windows shortcut files (.lnk files), such as target path, arguments, and other relevant shortcut details. This feature provides a more comprehensive understanding of the files present on Windows hosts, aiding in forensic investigations and system audits by offering insights into shortcut configurations and their associated actions. This addition further extends osquery's utility in providing detailed system information and contributes to its role as a valuable tool for IT and security professionals.

Preventing keychain corruption with smart caching

Caching and throttling mechanisms have been introduced for the certificates, keychain_acls, and keychain_items tables on macOS to mitigate the risk of keychain corruption, a known issue from unstable macOS APIs. The new cache system evaluates if a keychain file has been altered by comparing its SHA256 hash to previous accesses. Should the file remain unchanged or accessed within a preset interval, osquery will reuse the cached results, reducing unnecessary file reads.

This caching operates individually across each table, allowing concurrent yet controlled access to keychain files, enhancing osquery's efficiency and stability on macOS platforms. This significant enhancement was contributed by Fleetie, Victor Lyuboslavsky.

Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×