Steampipe PluginInstall one plugin and look up geolocation, VPN and proxy detection, ASN, and abuse data for any IP in plain SQL.
Steampipe runs SQL against APIs as if they were database tables. The ipgeolocation.io Steampipe plugin lets you query IP geolocation, threat, ASN, and abuse data with SQL. Install it, add an API key, and select from four tables that return any IPv4 or IPv6 address as a row you can filter, join, and aggregate.
Each table takes an IP in the WHERE clause and hits the live API at query time. The example on the right runs against ipgeolocation_security and returns one result row.
select ip, is_tor, is_vpn, threat_score
from ipgeolocation_security
where ip = '185.220.101.1';+---------------+------------+--------+--------------+ | ip | is_tor | is_vpn | threat_score | +---------------+------------+--------+--------------+ | 185.220.101.1 | false | true | 80 | +---------------+------------+--------+--------------+
You go from install to a working query in a couple of minutes. No credit card required to start.
Run the Steampipe install command for the ipgeolocation plugin. Steampipe pulls the binary for you, with no build step.
Paste your key into the plugin's .spc config file, or set the IPGEOLOCATION_API_KEY environment variable.
SELECT from any of the four tables with an IP in the WHERE clause, and the plugin returns it as a SQL row you can join and filter.
Run the Steampipe install command for the ipgeolocation plugin. Steampipe pulls the binary for you, with no build step.
Start free and run your first queryPaste your key into the plugin's .spc config file, or set the IPGEOLOCATION_API_KEY environment variable.
SELECT from any of the four tables with an IP in the WHERE clause, and the plugin returns it as a SQL row you can join and filter.
The full setup, including the Postgres and SQLite options, lives in the plugin documentation.
Prefer your own database? The same tables run in Steampipe, in any Postgres through the foreign data wrapper, and in SQLite.
Every table takes an IP in the WHERE clause and returns it as a row. Filter, join, and aggregate with the SQL you already write.
ipgeolocation_ipResolve any IPv4 or IPv6 address to its country, city, and timezone in one SELECT, with full enrichment returned as a single row.
select ip, country_name, city, time_zone
from ipgeolocation_ip
where ip = '8.8.8.8';ipgeolocation_securitySpot VPNs, proxies, Tor, and bots with a 0 to 100 threat score, straight from the security table.
select ip, is_vpn, is_proxy, is_tor, threat_score
from ipgeolocation_security
where ip = '185.220.101.1';ipgeolocation_abusePull the registered abuse contact and CIDR for any IP, ready to drop into a ticket or report.
select ip, name, email, address
from ipgeolocation_abuse
where ip = '1.1.1.1';ipgeolocation_asnReturn ASN, organization, type, RIR, and route counts to see who owns and routes an address.
select ip, asn, organization, type, country
from ipgeolocation_asn
where ip = '8.8.8.8';Because the tables behave like any other relation, you can JOIN them straight against the data you already have. Point a server_logs table at ipgeolocation_ip and ipgeolocation_security, and every result row gains country and threat-score columns, ranked so the riskiest traffic surfaces first.
select l.ip, l.path, g.country_name, s.threat_score
from server_logs l
join ipgeolocation_ip g on g.ip = l.ip
join ipgeolocation_security s on s.ip = l.ip
order by s.threat_score desc;From SOC triage to compliance evidence, see how teams query IP intelligence in SQL.
Pull a week of suspicious source IPs into Steampipe and tag each one with country, VPN or proxy status, and a threat score, with no enrichment pipeline to stand up first.
Pull a week of suspicious source IPs into Steampipe and tag each one with country, VPN or proxy status, and a threat score, with no enrichment pipeline to stand up first.
When an alert fires on an unfamiliar IP, one query returns its location, anonymization signals, and the abuse contact to notify, so triage takes seconds instead of five browser tabs.
Check a list of server or egress IPs for ASN ownership and cloud-provider status across environments, then save the query as a repeatable check the team can rerun.
Run an auditable query that maps login IPs to country and network owner, then export the result as evidence for an access review or a data-residency check.
JOIN customer or event tables against IP geolocation to break usage down by country, region, or timezone, with no separate enrichment tool in the way.
Steampipe runs SQL against live APIs as if they were database tables. The ipgeolocation.io plugin turns IP geolocation, threat, ASN, and abuse data into four tables you can filter, join, and aggregate with the SQL you already write.
Geolocation, security, abuse, and ASN data, fetched live from the API at query time rather than from a cached snapshot.
Resolve any IPv4 or IPv6 address to a location in one SELECT. No scripts, no JSON parsing, no pagination.
The same tables run in the Steampipe CLI, in any Postgres through the foreign data wrapper, and in SQLite.
The plugin is Apache 2.0 licensed and runs on the free plan, with 1,000 credits per day for geolocation, timezone, and ASN data.
The plugin is free and open source under Apache 2.0. It runs on the ipgeolocation.io free plan, which includes 1,000 credits per day covering geolocation, timezone, and ASN data. Security signals, company data, and abuse contacts are available on paid plans.
Yes. Every table accepts both IPv4 and IPv6 addresses in the WHERE clause and returns the same columns for each address type. You can mix address types across queries without changing anything. IPv6 works on every plan, including the free plan, with no separate configuration or endpoint.
Results come live from the ipgeolocation.io API at query time, not from a cached snapshot, and the underlying data refreshes multiple times per day. On paid plans, each row also includes confidence and accuracy_radius fields, so you can filter results by how precise a location is.
Four tables. ipgeolocation_ip returns full enrichment, ipgeolocation_security returns VPN, proxy, Tor, and threat scores, ipgeolocation_abuse returns abuse contacts, and ipgeolocation_asn returns network and routing data. Each takes an IP address in the WHERE clause and returns it as a SQL row.
For a list of IPs, credits are charged per valid IP, only on success, and the cost depends on the data requested (base lookups cost less than security or abuse; see the credits usage guide). For large or recurring enrichment, the downloadable IP databases query locally with no per-lookup cost. For very high volume, talk to us.
No. After installing the plugin and adding your API key, you work entirely in SQL, the same SELECT and JOIN you already write. The Steampipe Hub also ships 22 example queries you can copy and adapt for your own data.
Unlock the potential of seamless connectivity with our integrations. Discover how our platform effortlessly connects with your favorite tools, third-party platforms, and developer libraries. Simplify your workflow, boost productivity, and open doors to new innovations.
Get the latest in geolocation tech, straight to your inbox.
