v0.12.0: Templates for control outputs, two new formats →

Command Line Arguments

Global Flags

Flag Description
--cloud-host Sets the Steampipe Cloud host used when connecting to Steampipe Cloud workspaces. See the STEAMPIPE_CLOUD_HOST environment variable documentation for details.
--cloud-token Sets the Steampipe Cloud authentication token used when connecting to Steampipe Cloud workspaces. See the STEAMPIPE_CLOUD_TOKEN environment variable documentation for details.
-h, --help Help for Steampipe.
--install-dir Sets the directory for the Steampipe installation, in which the Steampipe database, plugins, and supporting files can be found. See the STEAMPIPE_INSTALL_DIR environment variable documentation for details.
-v, --version Display Steampipe version.
--workspace (DEPRECATED: please use --workspace-chdir). Sets the Steampipe workspace directory. If not specified, the workspace directory will be set to the current working directory.
--workspace-chdir Sets the Steampipe workspace directory. If not specified, the workspace directory will be set to the current working directory. See the STEAMPIPE_WORKSPACE_CHDIR environment variable documentation for details.
--workspace-database Sets the database that Steampipe will connect to. This can be local (the default) or a remote Steampipe Cloud database. See the STEAMPIPE_WORKSPACE_DATABASE environment variable documentation for details.

Available Commands

CommandDescription
steampipe checkRun Steampipe benchmarks and controls
steampipe completionGenerate the autocompletion script for the specified shell
steampipe helpHelp about any command
steampipe modSteampipe mod management
steampipe pluginSteampipe plugin management
steampipe queryExecute SQL queries interactively or by argument
steampipe serviceSteampipe service management

steampipe check

Execute one or more Steampipe benchmarks and controls.

You may specify one or more benchmarks or controls to run, or run steampipe check all to run all controls in the workspace.

Usage

steampipe check [item,item,...] [flags]

Available Commands:

Argument Description
--dry-run If specified, prints the controls that would be run by the command, but does not execute them.
--export string Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,
--header string Specify whether to include column headers in csv output/export (default true).
--max-parallel integer Set the maximum number of parallel executions. When running steampipe check, Steampipe will attempt to run up to this many controls in parallel. See the STEAMPIPE_MAX_PARALLEL environment variable documentation for details.
--output Select the console output format. Defaults to text. Possible values are brief,csv,html,json,md,text,none
--progress Enable or disable the progress bar. By default, the progress bar is shown - set --progress=false to hide the progress bar.
--search-path strings Set a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix strings Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator string A single character to use as a separator string for csv output (defaults to ",")
--tag string=string Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed -- discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--theme Select output theme (color scheme, etc). Defaults to dark. Possible values are light,dark, plain
--var string Specify the value of a mod variable.
--var-file string Specify an .spvars file containing mod variable values.
--where Filter the list of controls to run, using a sql where clause against the steampipe_control reflection table.

Output Formats

FormatDescription
asffFindings in asff json format. Only used with AWS controls.
briefText based output that shows only actionable items (errors and alarms) as well as a summary.
csvComma-separated output with full control details.
htmlSingle-page HTML output with full control details and group summaries.
jsonHierarchical json output with full control details and group summaries.
mdSingle-page markdown output with full control details and group summaries.
noneDon't send any output to stdout.
nunit3Results in nunit3 xml format.
textFull text based output with details and summary. This is the default console output format.

Examples

Run all controls:

steampipe check all

Only show "failed" items (alarm, error)

steampipe check all --output=brief

Run the cis_v130 benchmark:

steampipe check benchmark.cis_v130

Run all controls and pass variable values on the command line:

steampipe check all --var='mandatory_tags=["Owner","Application","Environment"]' --var='sensitive_tags=["password","key"]'

Run all controls and pass a .spvars file that contains variable values to use

steampipe check all --var-file='tags.spvars'

Run the controls that have tags cis_level=1 and cis=true:

steampipe check all --tag cis_level=1 --tag cis=true

Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:

steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run

Run controls with the a benchmark=pci tag that are either high or critical severity:

steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"

Run the cis_v130 benchmark with light mode output:

steampipe check benchmark.cis_v130 --theme=light

Run the cis_v130_1_4 and cis_v130_2_1_1 controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Use plain text and no progress (typical for CI or batch jobs)

steampipe check all --theme=plain --progress=false

Export to html (with default file name)

steampipe check all --export=html

Export to csv with default file name and json as output.json

steampipe check all --export=csv --export=output.json

Export to markdown and json with default file names, asff as output.asff.json, nunit3 as output.nunit3.xml

steampipe check all --export=md --export=json --export=output.asff.json --export=output.nunit3.xml

Send json output to stdout and pipe to jq

steampipe check all --output=json | jq

steampipe completion

Generate the autocompletion script for steampipe for supported shells. This helps you configure your terminal’s shell so that steampipe commands autocomplete when you press the TAB key.

Usage

steampipe completion [bash|fish|zsh]

Sub-Commands

CommandDescription
bashGenerate completion code for bash
fishGenerate completion code for fish
zshGenerate completion code for zsh

steampipe completion bash

Generate the autocompletion script for the bash shell.

Pre-requisites

This script depends on the bash-completion package. If it is not installed already, you can install it via your OS’s package manager.

Most Linux distributions have bash-completion installed by default, however it is not installed by default in Mac OS. For example, to install the bash-completion package with homebrew:

brew install bash-completion

Once installed, edit your .bash_profile or .bashrc file and add the following line:

[[ -r "$(brew --prefix)/etc/profile.d/bash_completion.sh" ]] && . "$(brew --prefix)/etc/profile.d/bash_completion.sh"

Examples

Review the configuration:

steampipe completion bash

Enable auto-complete in your current shell session:

source <(steampipe completion bash)

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

Linux:

steampipe completion bash > /etc/bash_completion.d/steampipe

MacOS:

steampipe completion bash > /usr/local/etc/bash_completion.d/steampipe

steampipe completion fish

Generate the autocompletion script for the fish shell.

Examples

Review the configuration:

steampipe completion fish

Enable auto-complete in your current shell session:

steampipe completion fish | source

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

steampipe completion fish > ~/.config/fish/completions/steampipe.fish

steampipe completion zsh

Generate the autocompletion script for the zsh shell.

Pre-requisites

If shell completion is not enabled in your environment, you will need to enable it using:

echo "autoload -U compinit; compinit" >> ~/.zshrc

You will need to start a new shell for this setup to take effect.

Examples

Review the configuration:

steampipe completion zsh

Enable auto-complete for every new session (execute once). You will need to start a new shell for this setup to take effect:

steampipe completion zsh > "${fpath[1]}/steampipe"

steampipe help

Display help and usage information for any command in the application.

Usage

steampipe help [command] [flags]

Examples

Show help:

steampipe help

Show help for the plugin sub-command:

steampipe help plugin

Show help for the plugin install sub-command:

steampipe help plugin install

steampipe mod

Steampipe mod management.

Mods provide an easy way to share Steampipe queries, controls, and benchmarks. Find mods using the public registry at hub.steampipe.io.

Usage

steampipe mod [command]

Available Commands:

CommandDescription
initInitialize the current directory with a mod.sp file
installInstall one or more mods and their dependencies
listList currently installed mods
uninstallUninstall a mod and its dependencies
update Update one or more mods and their dependencies
FlagDescription
--dry-runShow which mods would be installed/updated/uninstalled without modifying them (default false).
--pruneRemove unused mods and dependencies when doing mod update and mod install (default true).

Examples

List installed mods:

steampipe mod list

Install a mod and add the require statement to your mod.sp:

steampipe mod install github.com/turbot/steampipe-mod-aws-compliance

Install an exact version of a mod and update the require statement to your mod.sp. This may upgrade or downgrade the mod if it is already installed:

steampipe mod install github.com/turbot/steampipe-mod-aws-compliance@0.1

Install a version of a mod using a semver constraint and update the require statement to your mod.sp. This may upgrade or downgrade the mod if it is already installed:

steampipe mod install github.com/turbot/steampipe-mod-aws-compliance@'^1'

Install all mods specified in the mod.sp and their dependencies:

steampipe mod install

Preview what steampipe mod install will do, without actually installing anything:

steampipe mod install --dry-run

Update a mod to the latest version allowed by its current constraint:

steampipe mod update github.com/turbot/steampipe-mod-aws-compliance

Update all mods specified in the mod.sp and their dependencies to the latest versions that meet their constraints, and install any that are missing:

steampipe mod update

Uninstall a mod:

steampipe mod uninstall github.com/turbot/steampipe-mod-azure-compliance

Preview uninstalling a mod, but don't uninstall it:

steampipe mod uninstall github.com/turbot/steampipe-mod-gcp-compliance --dry-run

steampipe plugin

Steampipe plugin management.

Plugins extend Steampipe to work with many different services and providers. Find plugins using the public registry at hub.steampipe.io.

Usage

steampipe plugin [command]

Available Commands:

CommandDescription
installInstall or update a plugin
listList currently installed plugins
uninstallUninstall a plugin
update Update one or more plugins
FlagDescription
--allApplies only to plugin update, updates ALL installed plugins

Examples

Install or update a plugin:

steampipe plugin install aws

List installed plugins:

steampipe plugin list

Uninstall a plugin:

steampipe plugin uninstall dmi/paper

Update all plugins to the latest in the installed stream:

steampipe plugin update --all

Update the aws plugin to the latest in the 0.1 minor stream:

steampipe plugin update aws@0.1

steampipe query

Execute SQL queries interactively, or by a query argument.

To open the interactive query shell, run steampipe query with no arguments. The query shell provides a way to explore your data and run multiple queries.

If a query string is passed on the command line then it will be run immediately and the command will exit. Alternatively, you may specify one or more files containing SQL statements. You can run multiple SQL files by passing a glob or a space separated list of file names.

If the Steampipe service was previously started by steampipe service start, steampipe will connect to the service instance - otherwise, the query command will start the service. At the end of the query command or session, if other sessions have not connected to the service already, the service will be shutdown. If other session have already connected to the service, then the last session to exit will shutdown the service.

Usage

steampipe query [query] [flags]

Flags

FlagDescription
--headerInclude column headers csv and table output (default true)
--output stringOutput format: csv, json or table (default "table")
--search-path stringsSet a custom search path for the steampipe user for a query session (comma-separated)
--search-path-prefix stringsSet a prefix to the current search path for a query session (comma-separated)
--separator stringSeparator string for csv output (default ",")
--timingTurn on the timer which reports query time
---var stringSpecify the value of a mod variable.
--var-file stringSpecify an .spvars file containing mod variable values.
--watchWatch .sql and .sp files in the current workspace (works only in interactive mode) (default true)

Examples

Open an interactive query console:

steampipe query

Run a specific query directly:

steampipe query "select * from aws_s3_bucket"

Run the SQL command in the my_queries/my_query.sql file:

steampipe query my_queries/my_query.sql

Run the SQL commands in all .sql files in the my_queries directory and concatenate the results:

steampipe query my_queries/*.sql

Run a specific query directly and report the query execution time:

steampipe query "select * from aws_s3_bucket" --timing

Run a specific query directly and return output in json format:

steampipe query "select * from aws_s3_bucket" --output json

Run a specific query directly and return output in CSV format:

steampipe query "select * from aws_s3_bucket" --output csv

Run a specific query directly and return output in pipe-separated format:

steampipe query "select * from aws_s3_bucket" --output csv --separator '|'

Run a query with a specific search_path:

steampipe query --search-path="aws_dmi,github,slack" "select * from aws_s3_bucket"

Run a query with a specific search_path_prefix:

steampipe query --search-path-prefix="aws_dmi" "select * from aws_s3_bucket"

steampipe service

Steampipe service management.

steampipe service allows you to run Steampipe as a local service, exposing it as a database endpoint for connection from any Postgres-compatible database client.

Usage

steampipe service [command]

Sub-Commands

CommandDescription
restartRestart Steampipe service
startStart Steampipe in service mode
statusStatus of the Steampipe service
stopStop Steampipe service

Flags

FlagApplies toDescription
--database-listen stringstartAccept connections from: local (localhost only) or network (open)
--database-password stringstartSet the steampipe database password for this session. See STEAMPIPE_DATABASE_PASSWORD for additional information
--database-port intstartDatabase service port (default 9193)
--forcestop, restartForces the service to shutdown, releasing all open connections and ports
--foregroundstartRun the service in the foreground
--allstatusBypass the --install-dir and print status of all running services

The following flags are deprecated:

FlagApplies toDescription
--db-port intstartDEPRECATED: please use --database-port
--listen stringstartDEPRECATED: please use --database-listen

Examples

Start Steampipe in the background (service mode):

steampipe service start

Start Steampipe on port 9194

steampipe service start --database-port 9194

Start the Steampipe service with a custom password:

steampipe service start --database-password MyCustomPassword

Start Steampipe on localhost only

steampipe service start --database-listen local

Stop the Steampipe service:

steampipe service stop

Forecefully kill all Steampipe services:

steampipe service stop --force

View Steampipe service status:

steampipe service status

View status of all running Steampipe services:

steampipe service status --all

Restart the Steampipe service:

steampipe service restart