v0.8.0: Variables, Tagging mods & Syntax highlighting →
Announcement

v0.6.0: Export and Filter Controls

Learn more about the new open source features in Steampipe v0.6.0

Steampipe Team
6 min. read - June 17, 2021

What is Steampipe?

Steampipe is open source software for interrogating your cloud. Run SQL queries, compliance controls and full governance benchmarks from the comfort of your CLI.

Steampipe’s codified operations framework gives you the power to test your cloud resources against security, compliance and cost benchmarks, and to build your own custom control frameworks.

Our multi-threaded Golang CLI makes your custom SQL controls blazing fast with unlimited integration options via our embedded PostgreSQL database.

steampipe cli
>
select
region,
instance_state as state,
instance_type as type
from
aws_ec2_instance;

+-----------+---------+-----------+
| region    | state   | type      |
+-----------+---------+-----------+
| eu-west-1 | running | t3.medium |
| eu-west-2 | running | m5a.large |
| us-east-1 | running | t3.large  |
+-----------+---------+-----------+
        

tl;dr

Export control output to CSV or JSON.
New control filtering options.
The query command now supports STDIN.
10 new plugins and mods.
Join our new Slack Channel!
Even more goodies in the full release notes.


Export Control Output

Standard Steampipe queries have always had output options (ascii table format, line format, CSV and JSON). Last month (in v0.5.0) we added capability to run controls from the cli that output nicely formatted information about the status of each control, like this:

This view is awesome for reading by humans, but not so great for parsing via code. Starting with v0.6.0 we have added the ability to export these reports in CSV and JSON formats. The same control run can be output to the console, and to multiple output formats simultaneously using a new --export command.

zsh
$ steampipe check all --export=output.csv --export=output.json

Control filter options

As number of controls in a mod grows larger (the AWS compliance mod now supports over 300+ controls), it makes sense that we would need capabilities to help manage what controls we run. New in v0.6.0 you have the ability to use --tag and --where options when running the check command. When using either (or both) of these options, only controls matching all of the filters will be run. In this example we are using tag filtering to run just the PCI DSS controls applicable to AWS S3:

Steampipe's mod introspection allows you to query controls using the steampipe_control table. In v0.6.0 you can dynamically pass a where clause to the table as another way to limit results. Here we only run controls that have a severity of critical or high:

To help with getting your tag syntax correct the check command also supports a --dry-run feature that allows you to see what controls would be executed given the current filters:

zsh
$ steampipe check all --tag service=s3 --tag benchmark=pci --dry-run

AWS Compliance
|
+ PCI v3.2.1
  |
  + S3
    |
    + 1 S3 buckets should prohibit public write access
    |
    + 2 S3 buckets should prohibit public read access
    |
    + 3 S3 buckets should have cross-region replication enabled
    |
    + 4 S3 buckets should have server-side encryption enabled
    |
    + 5 S3 buckets should require requests to use Secure Socket Layer
    |
    + 6 S3 Block Public Access setting should be enabled
        

Support for STDIN

The query command in V0.6.0 now supports the ability to read from SDTIN. You can use this feature to pass in a query that was piped from another output, as in this example:

zsh
$ cat my_query.sql | steampipe query

+------------------------+-----------+--------------------+
| name                   | region    | versioning_enabled |
+------------------------+-----------+--------------------+
| dmi-warehouse-scranton | us-east-1 | false              |
| dmi-sales-scranton     | us-east-1 | false              |
| dmi-finance-us         | us-east-2 | false              |
+------------------------+-----------+--------------------+
        

New plugins and mods

Since last months v.0.5.0 release there have been 4 new plugins released:

Six new mods have been released:

AWS compliance mod has been updated to support even more benchmarks:

Let’s get building!

Steampipe now delivers a full suite of tools to build, execute and share cloud configuration, compliance, and security frameworks using SQL, HCL and a little elbow grease! We would love your help to expand the open source documentation and control coverage for CIS, PCI, HIPAA, NIST… and the best way to get started is to join our new Slack workspace and raise your hand; we would love to talk to you!

For even more good stuff in v0.6.0, checkout the full release notes on GitHub.