CyberCheatsheets

jq Cheat Sheet

jq command-line JSON processor — filter, transform, and extract fields from API responses and tool output.

Utilities & ShellsapiclijqjsonparsingUpdated 2026-06-17

Overview

jq is sed/awk for JSON. It parses, filters, and reshapes JSON from APIs and security tools (nuclei, subfinder, trivy, cloud CLIs all speak JSON). Master a handful of filters and you can pull exactly the fields you need into a pipeline instead of eyeballing raw output.

Reference material. Process only data you are authorized to handle.

Basics

Pretty-print and validate JSON

jq . file.json

Pretty-print an API response

curl -s https://api/x | jq .

Extract a top-level field

jq '.name' file.json

Nested field access

jq '.user.email' file.json

Raw output (no quotes) — essential for scripting

jq -r '.token' file.json

Arrays

Iterate every element of an array

jq '.[]' file.json

First element

jq '.[0]' file.json

A field from each object in an array

jq '.items[].name' file.json

Count elements / object keys

jq 'length' file.json

Pipe each element into a filter

jq '.[] | .id' file.json

Filter & select

Keep elements matching a condition

jq '.[] | select(.active==true)' file.json

Filter then project a field

jq '.[] | select(.port==443) | .host' file.json

Regex match on a field

jq '.[] | select(.name | test("admin"))' file.json

Filter an array in place

jq 'map(select(.severity=="high"))' findings.json

Transform & reshape

Build a new object

jq '{name: .fullName, ip: .address}' file.json

Map to a slimmed array of objects

jq '[.[] | {host, port}]' file.json

Emit CSV rows

jq -r '.[] | [.host, .port] | @csv' file.json

String interpolation → host:port lines

jq -r '.[] | "\(.host):\(.port)"' file.json

List an object's keys

jq 'keys' file.json

Security workflow one-liners

Extract live hosts from httpx JSON

jq -r 'select(.status_code==200) | .url' httpx.json

Pull high/critical findings from a trivy report

jq -r '.Results[].Vulnerabilities[]? | select(.Severity=="CRITICAL") | .VulnerabilityID' trivy.json

List public S3 buckets from AWS CLI output

aws s3api list-buckets | jq -r '.Buckets[].Name'

Decode a JWT payload

echo $JWT | cut -d. -f2 | base64 -d 2>/dev/null | jq .

Count nuclei findings by severity

jq -r '.info.severity' nuclei.json | sort | uniq -c

Tips

  • Use -r (raw) whenever you pipe jq output into another command — quotes break the next tool.
  • select() filters; map() applies a transform to each array element.
  • Add ? after a field (.field?) to avoid errors when it's sometimes missing.
  • @csv, @tsv, and @sh formatters turn JSON into shell- and spreadsheet-friendly rows.

References

Related cheat sheets