v0.8.0: Variables, Tagging mods & Syntax highlighting →

Command Line Arguments

Global Flags

Flag Description
-h, --help Help for Steampipe
--install-dir Sets the directory for the Steampipe installation, in which the Steampipe database, plugins, and supporting files can be found. See the STEAMPIPE_INSTALL_DIR environment variable documentation for details
-v, --version Display Steampipe version
--workspace Sets the Steampipe workspace directory. If not specified, the workspace directory will be set to the current working directory.

Available Commands

CommandDescription
steampipe checkRun Steampipe benchmarks and controls
steampipe completionGenerate the autocompletion script for the specified shell
steampipe helpHelp about any command
steampipe pluginSteampipe plugin management
steampipe queryExecute SQL queries interactively or by argument
steampipe serviceSteampipe service management

steampipe check

Execute one or more Steampipe benchmarks and controls.

You may specify one or more benchmarks or controls to run, or run steampipe check all to run all controls in the workspace.

Usage

steampipe check [item,item,...] [flags]

Available Commands:

Argument Description
--dry-run If specified, prints the controls that would be run by the command, but does not execute them.
--export string Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are csv and json.
--header string Specify whether to include column headers in csv output/export (default true).
--output Select the console output format. Defaults to text. Possible values are json,csv,text,brief,none
--progress Enable or disable the progress bar. By default, the progress bar is shown - set --progress=false to hide the progress bar.
--search-path strings Set a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix strings Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator string A single character to use as a separator string for csv output (defaults to ",")
--tag string=string Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed -- discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--theme Select output theme (color scheme, etc). Defaults to dark. Possible values are light,dark, plain
--var string Specify the value of a mod variable.
--var-file string Specify an .spvars file containing mod variable values.
--where Filter the list of controls to run, using a sql where clause against the steampipe_control reflection table.

Output Formats

FormatDescription
textFull text based output with details and summary. This is the default console output format.
briefText based output that shows only actionable items (errors and alarms) as well as a summary.
noneDon't send any output to stdout.
jsonHierarchical json output will full control details and group summaries.
csvComma-separated output with full control details.

Examples

Run all controls:

steampipe check all

Only show "failed" items (alarm, error)

steampipe check all --output=brief

Run the cis_v130 benchmark:

steampipe check benchmark.cis_v130

Run all controls and pass variable values on the command line:

steampipe check all --var='mandatory_tags=["Owner","Application","Environment"]' --var='sensitive_tags=["password","key"]'

Run all controls and pass a .spvars file that contains variable values to use

steampipe check all --var-file='tags.spvars'

Run the controls that have tags cis_level=1 and cis=true:

steampipe check all --tag cis_level=1 --tag cis=true

Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:

steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run

Run controls with the a benchmark=pci tag that are either high or critical severity:

steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"

Run the cis_v130 benchmark with light mode output:

steampipe check benchmark.cis_v130 --theme=light

Run the cis_v130_1_4 and cis_v130_2_1_1 controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Use plain text and no progress (typical for CI or batch jobs)

steampipe check all --theme=plain --progress=false

Export to csv with default file name and json as output.json

steampipe check all --export=csv --export=output.json

Send json output to stdout and pipe to jq

steampipe check all --output=json | jq

steampipe completion

Generate the autocompletion script for steampipe for supported shells. This helps you configure your terminal’s shell so that steampipe commands autocomplete when you press the TAB key.

Usage

steampipe completion [bash|fish|zsh]

Sub-Commands

CommandDescription
bashGenerate completion code for bash
fishGenerate completion code for fish
zshGenerate completion code for zsh

steampipe completion bash

Generate the autocompletion script for the bash shell.

Pre-requisites

This script depends on the bash-completion package. If it is not installed already, you can install it via your OS’s package manager.

Most Linux distributions have bash-completion installed by default, however it is not installed by default in Mac OS. For example, to install the bash-completion package with homebrew:

brew install bash-completion

Once installed, edit your .bash_profile or .bashrc file and add the following line:

[[ -r "$(brew --prefix)/etc/profile.d/bash_completion.sh" ]] && . "$(brew --prefix)/etc/profile.d/bash_completion.sh"

Examples

Review the configuration:

steampipe completion bash

Enable auto-complete in your current shell session:

source <(steampipe completion bash)

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

Linux:

steampipe completion bash > /etc/bash_completion.d/steampipe

MacOS:

steampipe completion bash > /usr/local/etc/bash_completion.d/steampipe

steampipe completion fish

Generate the autocompletion script for the fish shell.

Examples

Review the configuration:

steampipe completion fish

Enable auto-complete in your current shell session:

steampipe completion fish | source

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

steampipe completion fish > ~/.config/fish/completions/steampipe.fish

steampipe completion zsh

Generate the autocompletion script for the zsh shell.

Pre-requisites

If shell completion is not enabled in your environment, you will need to enable it using:

echo "autoload -U compinit; compinit" >> ~/.zshrc

You will need to start a new shell for this setup to take effect.

Examples

Review the configuration:

steampipe completion zsh

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

steampipe completion zsh > "${fpath[1]}/steampipe"

steampipe help

Display help and usage information for any command in the application.

Usage

steampipe help [command] [flags]

Examples

Show help:

steampipe help

Show help for the plugin sub-command:

steampipe help plugin

Show help for the plugin install sub-command:

steampipe help plugin install

steampipe plugin

Steampipe plugin management.

Plugins extend Steampipe to work with many different services and providers. Find plugins using the public registry at hub.steampipe.io.

Usage

steampipe plugin [command]

Available Commands:

CommandDescription
installInstall or update a plugin
listList currently installed plugins
uninstallUninstall a plugin
update Update one or more plugins
FlagDescription
--allApplies only to plugin update, updates ALL installed plugins

Examples

Install or update a plugin:

steampipe plugin install aws

List installed plugins:

steampipe plugin list

Uninstall a plugin:

steampipe plugin uninstall dmi/paper

Update all plugins to the latest in the installed stream:

steampipe plugin update --all

Update the aws plugin to the latest in the 0.1 minor stream:

steampipe plugin update aws@0.1

steampipe query

Execute SQL queries interactively, or by a query argument.

To open the interactive query shell, run steampipe query with no arguments. The query shell provides a way to explore your data and run multiple queries.

If a query string is passed on the command line then it will be run immediately and the command will exit. Alternatively, you may specify one or more files containing SQL statements. You can run multiple SQL files by passing a glob or a space separated list of file names.

If the Steampipe service was previously started by steampipe service start, steampipe will connect to the service instance - otherwise, the query command will start the service. At the end of the query command or session, if other sessions have not connected to the service already, the service will be shutdown. If other session have already connected to the service, then the last session to exit will shutdown the service.

Usage

steampipe query [query] [flags]

Flags

FlagDescription
--headerInclude column headers csv and table output (default true)
--output stringOutput format: csv, json or table (default "table")
--search-path stringsSet a custom search path for the steampipe user for a query session (comma-separated)
--search-path-prefix stringsSet a prefix to the current search path for a query session (comma-separated)
--separator stringSeparator string for csv output (default ",")
--timingTurn on the timer which reports query time
---var stringSpecify the value of a mod variable.
--var-file stringSpecify an .spvars file containing mod variable values.
--watchWatch .sql and .sp files in the current workspace (works only in interactive mode) (default true)

Examples

Open an interactive query console:

steampipe query

Run a specific query directly:

steampipe query "select * from aws_s3_bucket"

Run the SQL command in the my_queries/my_query.sql file:

steampipe query my_queries/my_query.sql

Run the SQL commands in all .sql files in the my_queries directory and concatenate the results:

steampipe query my_queries/*.sql

Run a specific query directly and report the query execution time:

steampipe query "select * from aws_s3_bucket" --timing

Run a specific query directly and return output in json format:

steampipe query "select * from aws_s3_bucket" --output json

Run a specific query directly and return output in CSV format:

steampipe query "select * from aws_s3_bucket" --output csv

Run a specific query directly and return output in pipe-separated format:

steampipe query "select * from aws_s3_bucket" --output csv --separator '|'

Run a query with a specific search_path:

steampipe query --search-path="aws_dmi,github,slack" "select * from aws_s3_bucket"

Run a query with a specific search_path_prefix:

steampipe query --search-path-prefix="aws_dmi" "select * from aws_s3_bucket"

steampipe service

Steampipe service management.

steampipe service allows you to run Steampipe as a local service, exposing it as a database endpoint for connection from any Postgres compatible database client.

Usage

steampipe service [command]

Sub-Commands

CommandDescription
restartRestart Steampipe service
startStart Steampipe in service mode
statusStatus of the Steampipe service
stopStop Steampipe service

Flags

FlagApplies toDescription
--database-listen stringstartAccept connections from: local (localhost only) or network (open)
--database-password stringstartSet the steampipe database password for this session. See STEAMPIPE_DATABASE_PASSWORD for additional information
--database-port intstartDatabase service port (default 9193)
--forcestop, restartForces the service to shutdown, releasing all open connections and ports
--foregroundstartRun the service in the foreground
--allstatusBypass the --install-dir and print status of all running services

The following flags are deprecated:

FlagApplies toDescription
--db-port intstartDEPRECATED: please use --database-port
--listen stringstartDEPRECATED: please use --database-listen

Examples

Start Steampipe in the background (service mode):

steampipe service start

Start Steampipe on port 9194

steampipe service start --database-port 9194

Start the Steampipe service with a custom password:

steampipe service start --database-password MyCustomPassword

Start Steampipe on localhost only

steampipe service start --database-listen local

Stop the Steampipe service:

steampipe service stop

Forecefully kill all Steampipe services:

steampipe service stop --force

View Steampipe service status:

steampipe service status

View status of all running Steampipe services:

steampipe service status --all

Restart the Steampipe service:

steampipe service restart