Open source · AGPL-3.0 · Asset reconciliation, automated
Every device.
One source of truth.
Cairn pulls your fleet from the tools that already manage it — Jamf, Intune, Kandji, ChromeOS, CrowdStrike and more — reconciles every device into your asset system of record, and pushes asset tags back to the MDM so both sides agree. Its drift report shows exactly where your CMDB disagrees with reality. It's free and open source (AGPL-3.0): self-host it yourself, at no cost, forever.
$ cairn drift
→ observed 412 device(s) across sources vs 388 record(s) in the CMDB
~ 7 missing · 3 stale · 2 conflicting · 1 duplicate · 399 ok
MISSING from CMDB (7)
****9F2A ████████░░ 85% not in the system of record seen by: jamf, crowdstrike
****1C04 ███████░░░ 70% not in the system of record seen by: intune
CONFLICTING fields (2)
****8D10 [A0991] ████████░░ 80% hostname disagrees: MARKETING-07 ≠ mktg-laptop-7mode: fleet
sources:
- type: jamf
base_url: https://acme.jamfcloud.com
trust: 90 # higher wins on conflict
- type: intune
trust: 70
sink:
type: snipe-it
base_url: https://assets.acme.com
notify:
- type: slackIs your CMDB lying?
cairn drift is read-only — it writes nothing. It pulls every source,
reconciles by serial, reads your system of record, and diffs them, so you see
exactly where the official record disagrees with the tools that actually manage your fleet.
-
Missing
A device your MDM or EDR sees that isn't in the CMDB at all — bought and never logged.
-
Stale
A record no source has seen in your stale window (default 30 days) — a retirement or lost-device candidate.
-
Duplicate
More than one record sharing the same serial. Merge or delete the extra rows.
-
Conflicting
Present in both, but a field disagrees — hostname, model, manufacturer or OS. A blank field is a backfill opportunity, not a conflict.
-
Confidence scores
Every finding carries a 0–100 score weighted by how many independent sources corroborate it, so you triage the sure things first.
-
Scheduled digests
Exits non-zero on drift to gate CI, and sends a "what's missing/stale/conflicting" summary to Teams, Slack or a webhook on a cadence — without ever writing to your CMDB.
Built for honest inventory
Cairn does one job well: it makes your system of record match reality.
-
Pluggable providers
Add a new MDM or EDR by dropping in a provider — no changes to the core engine.
-
Agent & fleet modes
Run on each endpoint to sync that machine, or run centrally to reconcile the whole fleet.
-
Serial reconciliation
Merges records for the same physical machine across tools, field-by-field, by trust priority.
-
Network discovery
Lightweight, ARP-based discovery surfaces unmanaged devices — printers, switches, IoT, rogue boxes — that no MDM or EDR sees. Passive by default: it reads the ARP cache and sends no packets of its own. An active sweep is opt-in (and currently a documented no-op, so enabling it never silently scans).
-
More CMDB backends
Drift can read your system of record from Snipe-IT, GLPI or NetBox — point it at whichever ITAM you already run. Snipe-IT remains the write target for sync.
-
Security-first
HTTPS-only, secrets via env vars, config permission checks, and serial masking in logs.
-
Single binary
One cross-platform binary for macOS, Windows, and Linux — download a release or build from source on GitHub.
-
Dry-run mode
Preview every create, update, and conflict resolution before a single write hits your SoR.
Why "Cairn"
A cairn is a stack of stones travelers build to mark a safe path — each one placed by someone who came before, so the next person doesn't lose their way. That's the spirit of this project: an open, community-built set of markers that show small teams the route through compliance. Anyone can add a stone; everyone benefits from the trail.
Cairn doesn't have to stand alone — it integrates with Sightline, Lookout, and Bastion, so the evidence and posture you build here can flow into the rest of your compliance and monitoring stack.
Works with the tools you already run
Cairn reads from your management tools, writes to Snipe-IT, and runs drift against Snipe-IT, GLPI or NetBox. ServiceNow isn't supported yet.
Sources
- Jamf Pro
- Microsoft Intune
- Kandji
- JumpCloud
- Google Workspace (ChromeOS)
- CrowdStrike Falcon
- Sophos Central
- Microsoft Defender for Endpoint
- Apple Business Manager
- UniFi
- Network discovery (ARP)
- CDW (procurement)
- Rudder
System of record
- Snipe-IT — read & write
- GLPI — read (drift)
- NetBox — read (drift)
Notifications
- Microsoft Teams
- Slack
- Generic webhook
Install Cairn
Pick your platform. Cairn is free and open source (AGPL-3.0) — grab a release from GitHub or build from source.
Grab the latest release binary from GitHub and drop it in your PATH:
# Download the latest macOS release from GitHub
curl -fsSL https://github.com/jsdosanj/cairn/releases/latest/download/cairn-macos.tar.gz | tar xz
sudo mv cairn /usr/local/bin/
cairn --versionDownload the release .zip from GitHub and extract it:
# PowerShell — download the latest Windows release and extract
Invoke-WebRequest `
https://github.com/jsdosanj/cairn/releases/latest/download/cairn-windows-x64.zip `
-OutFile cairn.zip
Expand-Archive cairn.zip -DestinationPath "$Env:ProgramFiles\Cairn"
cairn --versionInstall the .deb on Debian/Ubuntu, or use the tarball anywhere:
# Debian / Ubuntu (.deb)
curl -fsSLO https://github.com/jsdosanj/cairn/releases/latest/download/cairn-linux.deb
sudo dpkg -i cairn-linux.deb
# Or the portable tarball
curl -fsSL https://github.com/jsdosanj/cairn/releases/latest/download/cairn-linux.tar.gz | tar xz
sudo mv cairn /usr/local/bin/Clone the repo and build the open-source binary yourself:
# Clone and build from source (AGPL-3.0)
git clone https://github.com/jsdosanj/cairn.git
cd cairn
make build && sudo mv ./bin/cairn /usr/local/bin/
# then generate a starter config
cairn init > cairn.yamlStop guessing what you own.
Run a read-only drift report first to see what your CMDB is missing — then reconcile in minutes.
Get in touch
Questions about Cairn, a deployment, or a custom provider? Send us a note and we'll get back to you.
Message sent
Thanks for reaching out — we'll be in touch shortly.