New! Filter and export controls, plus lots of new mods and plugins. →

Command Line Arguments

Global Flags

Flag Description
-h, --help Help for Steampipe
--install-dir Sets the directory for the Steampipe installation, in which the Steampipe database, plugins, and supporting files can be found. See the STEAMPIPE_INSTALL_DIR environment variable documentation for details
-v, --version Display Steampipe version
--workspace Sets the Steampipe workspace directory. If not specified, the workspace directory will be set to the current working directory.

Available Commands

CommandDescription
steampipe checkRun Steampipe benchmarks and controls
steampipe helpHelp about any command
steampipe pluginSteampipe plugin management
steampipe queryExecute SQL queries interactively or by argument
steampipe serviceSteampipe service management

steampipe check

Execute one or more Steampipe benchmarks and controls.

You may specify one or more benchmarks or controls to run, or run steampipe check all to run all controls in the workspace.

Usage

steampipe check [item,item,...] [flags]

Available Commands:

Argument Description
--dry-run If specified, prints the controls that would be run by the command, but does not execute them.
--export string Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are csv and json.
--header string Specify whether to include column headers in csv output/export (default true).
--output Select the console output format. Defaults to text. Possible values are json,csv,text,brief,none
--progress Enable or disable the progress bar. By default, the progress bar is shown - set --progress=false to hide the progress bar.
--search-path strings Set a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix strings Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator string A single character to use as a separator string for csv output (defaults to ",")
--tag string=string Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed -- discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--theme Select output theme (color scheme, etc). Defaults to dark. Possible values are light,dark, plain
--where Filter the list of controls to run, using a sql where clause against the steampipe_control reflection table.

Output Formats

FormatDescription
textFull text based output with details and summary. This is the default console output format.
briefText based output that shows only actionable items (errors and alarms) as well as a summary.
noneDon't send any output to stdout.
jsonHierarchical json output will full control details and group summaries.
csvComma-separated output with full control details.

Examples

Run all controls:

steampipe check all

Only show "failed" items (alarm, error)

steampipe check all --output=brief

Run the cis_v130 benchmark:

steampipe check benchmark.cis_v130

Run the controls that have tags cis_level=1 and cis=true:

steampipe check all --tag cis_level=1 --tag cis=true

Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:

steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run

Run controls with the a benchmark=pci tag that are either high or critical severity:

steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"

Run the cis_v130 benchmark with light mode output:

steampipe check benchmark.cis_v130 --theme=light

Run the cis_v130_1_4 and cis_v130_2_1_1 controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Use plain text and no progress (typical for CI or batch jobs)

steampipe check all --theme=plain --progress=false

Export to csv with default file name and json as output.json

steampipe check all --export=csv --export=output.json

Send json output to stdout and pipe to jq

steampipe check all --output=json | jq

steampipe help

Display help and usage information for any command in the application.

Usage

steampipe help [command] [flags]

Examples

Show help:

steampipe help

Show help for the plugin sub-command:

steampipe help plugin

Show help for the plugin install sub-command:

steampipe help plugin install

steampipe plugin

Steampipe plugin management.

Plugins extend Steampipe to work with many different services and providers. Find plugins using the public registry at hub.steampipe.io.

Usage

steampipe plugin [command]

Available Commands:

CommandDescription
installInstall or update a plugin
listList currently installed plugins
uninstallUninstall a plugin
update Update one or more plugins
FlagDescription
--allApplies only to plugin update, updates ALL installed plugins

Examples

Install or update a plugin:

steampipe plugin install aws

List installed plugins:

steampipe plugin list

Uninstall a plugin:

steampipe plugin uninstall dmi/paper

Update all plugins to the latest in the installed stream:

steampipe plugin update --all

Update the aws plugin to the latest in the 0.1 minor stream:

steampipe plugin update aws@0.1

steampipe query

Execute SQL queries interactively, or by a query argument.

To open the interactive query shell, run steampipe query with no arguments. The query shell provides a way to explore your data and run multiple queries.

If a query string is passed on the command line then it will be run immediately and the command will exit. Alternatively, you may specify one or more files containing SQL statements. You can run multiple SQL files by passing a glob or a space separated list of file names.

If the Steampipe service was previously started by steampipe service start, steampipe will connect to the service instance, and multiple parallel query sessions can be run. If the Steampipe service is not started, the query command will start the database and shut it down at the end of the query command or session. In this case, you cannot run another query until the first query has completed, and you cannot start another instance of steampipe until the query completes and Steampipe shuts down.

Usage

steampipe query [query] [flags]

Flags

FlagDescription
--headerInclude column headers csv and table output (default true)
--output stringOutput format: csv, json or table (default "table")
--search-path stringsSet a custom search path for the steampipe user for a query session (comma-separated)
--search-path-prefix stringsSet a prefix to the current search path for a query session (comma-separated)
--separator stringSeparator string for csv output (default ",")
--timingTurn on the timer which reports query time

Examples

Open an interactive query console:

steampipe query

Run a specific query directly:

steampipe query "select * from aws_s3_bucket"

Run the SQL command in the my_queries/my_query.sql file:

steampipe query my_queries/my_query.sql

Run the SQL commands in all .sql files in the my_queries directory and concatenate the results:

steampipe query my_queries/*.sql

Run a specific query directly and report the query execution time:

steampipe query "select * from aws_s3_bucket" --timing

Run a specific query directly and return output in json format:

steampipe query "select * from aws_s3_bucket" --output json

Run a specific query directly and return output in CSV format:

steampipe query "select * from aws_s3_bucket" --output csv

Run a specific query directly and return output in pipe-separated format:

steampipe query "select * from aws_s3_bucket" --output csv --separator '|'

Run a query with a specific search_path:

steampipe query --search-path="aws_dmi,github,slack" "select * from aws_s3_bucket"

Run a query with a specific search_path_prefix:

steampipe query --search-path-prefix="aws_dmi" "select * from aws_s3_bucket"

steampipe service

Steampipe service management.

steampipe service allows you to run Steampipe as a local service, exposing it as a database endpoint for connection from any Postgres compatible database client. If the Steampipe service is started by service start, multiple parallel query sessions can be run.

Usage

steampipe service [command]

Sub-Commands

CommandDescription
restartRestart Steampipe service
startStart Steampipe in service mode
statusStatus of the Steampipe service
stopStop Steampipe service

Flags

FlagApplies toDescription
--database-listen stringstartAccept connections from: local (localhost only) or network (open)
--database-port intstartDatabase service port (default 9193)
--forcestop, restartForces the service to shutdown, releasing all open connections and ports

The following flags are deprecated:

FlagApplies toDescription
--db-port intstartDEPRECATED: please use --database-port
--listen stringstartDEPRECATED: please use --database-listen

Examples

Start Steampipe in the background (service mode):

steampipe service start

Start Steampipe on port 9194

steampipe service start --database-port 9194

Stop the Steampipe service:

steampipe service stop

Forecefully stop the Steampipe service:

steampipe service stop --force

View Steampipe service status:

steampipe service status

Restart the Steampipe service:

steampipe service restart