v0.19.0: Dynamic table aggregation, Kubernetes CRDs →

Running Benchmarks

Steampipe controls and benchmarks provide a generic mechanism for defining and running control frameworks such as CIS, NIST, HIPAA, etc, as well as your own customized groups of controls.

There are many control frameworks in existence today, and though they are all implemented with their own specific syntax and structure, they are generally organized in a defined, hierarchical structure, with a pass/fail type of status for each item. The control and benchmark resources allow Steampipe to provide simplified, consistent mechanisms for defining, running, and returning output from these disparate frameworks.

Steampipe benchmarks automatically appear as dashboards when you run steampipe dashboard in the mod. From the dashboard home, you can select any benchmark to run it and view it in an interactive HTML format. You can even export the benchmark results as a CSV from the panel view.


You can also run controls and benchmarks in batch mode with the steampipe check command. The steampipe check command provides options for selecting which controls to run, supports many output formats, and provides capabilities often required when using steampipe in your scripts, pipelines, and other automation scenarios.

To run every benchmark in the mod:

steampipe check all

The console will show progress as its runs, and will print the results to the screen when it is complete:

You can find controls and benchmarks in the Steampipe Mods section of the Steampipe Hub, or by searching Github directly.

You can also create your own controls and benchmarks, and package them into a mod.

More Examples

The steampipe check command executes one or more Steampipe benchmarks and controls. You may specify one or more benchmarks or controls to run, or run steampipe check all to run all

You can run all controls in the workspace:

steampipe check all

Or only run a specific benchmark:

steampipe check benchmark.cis_v130

Or run only specific controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Or only run controls with specific tags. For example, to run the controls that have tags cis_level=1 and benchmark=cis:

steampipe check all --tag cis_level=1 --tag cis=true

Usually, steampipe mods use unqualified queries to "target" whichever connection is first in the search path, but you can specify a different path or prefix if you want:

steampipe check all --search-path-prefix aws_connection_2

You can filter the controls to run using a where clause on the steampipe_control reflection table. 

steampipe check all --where "severity in ('critical', 'high')"

You can preview which controls with the --dry-run flag:

steampipe check all --where "severity in ('critical', 'high')" --dry-run
Edit on GitHub