Running Benchmarks
Steampipe controls and benchmarks provide a generic mechanism for defining and running control frameworks such as CIS, NIST, HIPAA, etc, as well as your own customized groups of controls.
There are many control frameworks in existence today, and though they are all implemented with their own specific syntax and structure, they are generally organized in a defined, hierarchical structure, with a pass/fail type of status for each item. The control and benchmark resources allow Steampipe to provide simplified, consistent mechanisms for defining, running, and returning output from these disparate frameworks.
Steampipe benchmarks automatically appear as dashboards when you run steampipe dashboard
in the mod. From the dashboard home, you can select any benchmark to run it and view it in an interactive HTML format. You can even export the benchmark results as a CSV from the panel view.
You can also run controls and benchmarks in batch mode with the steampipe check command. The steampipe check
command provides options for selecting which controls to run, supports many output formats, and provides capabilities often required when using steampipe
in your scripts, pipelines, and other automation scenarios.
To run every benchmark in the mod:
steampipe check all
The console will show progress as its runs, and will print the results to the screen when it is complete:
You can find controls and benchmarks in the Steampipe Mods section of the Steampipe Hub, or by searching Github directly.
You can also create your own controls and benchmarks, and package them into a mod.
More Examples
The steampipe check command executes one or more Steampipe benchmarks and controls. You may specify one or more benchmarks or controls to run, or run steampipe check all to run all
You can run all controls in the workspace:
steampipe check all
Or only run a specific benchmark:
steampipe check benchmark.cis_v130
Or run only specific controls:
steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1
Or only run controls with specific tags. For example, to run the controls that have tags cis_level=1 and benchmark=cis:
steampipe check all --tag cis_level=1 --tag cis=true
Usually, steampipe mods use unqualified queries to "target" whichever connection is first in the search path, but you can specify a different path or prefix if you want:
steampipe check all --search-path-prefix aws_connection_2
You can filter the controls to run using a where clause on the steampipe_control reflection table.
steampipe check all --where "severity in ('critical', 'high')"
You can preview which controls with the --dry-run
flag:
steampipe check all --where "severity in ('critical', 'high')" --dry-run