Major memory reduction, new benchmarks, secure AWS regions →

steampipe check

Execute one or more Steampipe benchmarks and controls.

You may specify one or more benchmarks or controls to run, or run steampipe check all to run all controls in the workspace.


steampipe check [item,item,...] [flags]

Available Commands:

Argument Description
--dry-run If specified, prints the controls that would be run by the command, but does not execute them.
--export string Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,
--header string Specify whether to include column headers in csv output/export (default true).
--max-parallel integer Set the maximum number of parallel executions. When running steampipe check, Steampipe will attempt to run up to this many controls in parallel. See the STEAMPIPE_MAX_PARALLEL environment variable documentation for details.
--output Select the console output format. Defaults to text. Possible values are brief,csv,html,json,md,text,none
--progress Enable or disable the progress bar. By default, the progress bar is shown - set --progress=false to hide the progress bar.
--search-path strings Set a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix strings Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator string A single character to use as a separator string for csv output (defaults to ",")
--tag string=string Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed -- discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--theme Select output theme (color scheme, etc). Defaults to dark. Possible values are light,dark, plain
--var string Specify the value of a mod variable.
--var-file string Specify an .spvars file containing mod variable values.
--where Filter the list of controls to run, using a sql where clause against the steampipe_control reflection table.

Output Formats

asffFindings in asff json format. Only used with AWS controls.
briefText based output that shows only actionable items (errors and alarms) as well as a summary.
csvComma-separated output with full control details.
htmlSingle-page HTML output with full control details and group summaries.
jsonHierarchical json output with full control details and group summaries.
mdSingle-page markdown output with full control details and group summaries.
noneDon't send any output to stdout.
nunit3Results in nunit3 xml format.
textFull text based output with details and summary. This is the default console output format.


Run all controls:

steampipe check all

Only show "failed" items (alarm, error)

steampipe check all --output=brief

Run the cis_v130 benchmark:

steampipe check benchmark.cis_v130

Run all controls and pass variable values on the command line:

steampipe check all --var='mandatory_tags=["Owner","Application","Environment"]' --var='sensitive_tags=["password","key"]'

Run all controls and pass a .spvars file that contains variable values to use

steampipe check all --var-file='tags.spvars'

Run the controls that have tags cis_level=1 and cis=true:

steampipe check all --tag cis_level=1 --tag cis=true

Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:

steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run

Run controls with the a benchmark=pci tag that are either high or critical severity:

steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"

Run the cis_v130 benchmark with light mode output:

steampipe check benchmark.cis_v130 --theme=light

Run the cis_v130_1_4 and cis_v130_2_1_1 controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Run the foundational_security benchmark, but suppress items:

steampipe check benchmark.foundational_security --where "tags ->> 'foundational_security_item_id' != all(ARRAY['cloudformation_1','s3_11'])"

Use plain text and no progress (typical for CI or batch jobs)

steampipe check all --theme=plain --progress=false

Export to html (with default file name)

steampipe check all --export=html

Export to csv with default file name and json as output.json

steampipe check all --export=csv --export=output.json

Export to markdown and json with default file names, asff as output.asff.json, nunit3 as output.nunit3.xml

steampipe check all --export=md --export=json --export=output.asff.json --export=output.nunit3.xml

Send json output to stdout and pipe to jq

steampipe check all --output=json | jq