steampipe check
Powerpipe is now the recommended way to run dashboards and benchmarks! Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:
Execute one or more Steampipe benchmarks and controls.
You may specify one or more benchmarks or controls to run, or run steampipe check all
to run all controls in the workspace.
Usage
Run benchmarks/controls:
steampipe check [item,item,...] [flags]
List available benchmarks:
steampipe check list
Flags:
Argument | Description |
---|---|
--cloud-host | Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. DEPRECATED - Use --pipes-host . |
--cloud-token | Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. DEPRECATED - Use --pipes-token . |
--dry-run | If specified, prints the controls that would be run by the command, but does not execute them. |
--export string | Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff , csv , html , json , md ,nunit3 , sps (snapshot) |
--header string | Specify whether to include column headers in csv output/export (default true ). |
--help | Help for steampipe check. |
--input | Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false . This is useful when running from scripts. (default true) |
--max-parallel integer | Set the maximum number of database connections to open. When running steampipe check, Steampipe will attempt to run up to this many controls in parallel. See the STEAMPIPE_MAX_PARALLEL environment variable documentation for details. (default 10 ) |
--mod-install | Specify whether to install mod dependencies before running the check (default true) |
--mod-location | Sets the Steampipe workspace working directory. If not specified, the workspace directory will be set to the current working directory. See STEAMPIPE_MOD_LOCATION for details. |
--output string | Select the console output format. Defaults to text . Possible values are brief, csv, html, json, md, sps (snapshot), text, none |
--pipes-host | Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details. |
--pipes-token | Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details. |
--progress | Enable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar. |
--query-timeout int | The query timeout, in seconds. The default is 240 . |
--search-path strings | Set a comma-separated list of connections to use as a custom search path for the control run. |
--search-path-prefix strings | Set a comma-separated list of connections to use as a prefix to the current search path for the control run. |
--separator string | A single character to use as a separator string for csv output (defaults to ",") |
--share | Create snapshot in Turbot Pipes with anyone_with_link visibility. |
--snapshot | Create snapshot in Turbot Pipes with the default (workspace ) visibility. |
--snapshot-location string | The location to write snapshots - either a local file path or a Turbot Pipes workspace |
--snapshot-tag string=string | Specify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed. |
--snapshot-title string=string | The title to give a snapshot when uploading to Turbot Pipes. |
--tag string=string | Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed . For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true . |
--theme | Select output theme (color scheme, etc). Defaults to dark . Possible values are light,dark, plain |
--timing=string | Enable or disable query execution timing: off (default) or on |
--var string=string | Specify the value of a mod variable. Multiple --var arguments may be passed. |
--var-file string | Specify an .spvars file containing mod variable values. |
--where | Filter the list of controls to run, using a sql where clause against the steampipe_control reflection table. |
--workspace-database | Sets the database that Steampipe will connect to. This can be local (the default) or a remote Turbot Pipes database. See STEAMPIPE_WORKSPACE_DATABASE for details. |
Output Formats
Format | Description |
---|---|
asff | Findings in asff json format. Only used with AWS controls. |
brief | Text based output that shows only actionable items (errors and alarms) as well as a summary. |
csv | Comma-separated output with full control details. |
html | Single-page HTML output with full control details and group summaries. |
json | Hierarchical json output with full control details and group summaries. |
md | Single-page markdown output with full control details and group summaries. |
none | Don't send any output to stdout. |
nunit3 | Results in nunit3 xml format. |
snapshot | Steampipe snapshot json (alias for sps ) |
sps | Steampipe snapshot json. |
text | Full text based output with details and summary. This is the default console output format. |
Examples
Run all controls:
steampipe check all
List the benchmarks available to run in the current mod context:
steampipe check list
Run the cis_v130 benchmark:
steampipe check benchmark.cis_v130
Run a benchmark and save a snapshot:
steampipe check --snapshot benchmark.cis_v130
Run a benchmark and share a snapshot:
steampipe check --share benchmark.cis_v130
Only show "failed" items (alarm, error)
steampipe check all --output=brief
Run all controls and pass variable values on the command line:
steampipe check all --var='mandatory_tags=["Owner","Application","Environment"]' --var='sensitive_tags=["password","key"]'
Run all controls and pass a .spvars file that contains variable values to use
steampipe check all --var-file='tags.spvars'
Run the controls that have tags cis_level=1 and cis=true:
steampipe check all --tag cis_level=1 --tag cis=true
Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:
steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run
Run controls with the a benchmark=pci tag that are either high or critical severity:
steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"
Run the cis_v130 benchmark with light mode output:
steampipe check benchmark.cis_v130 --theme=light
Run the cis_v130_1_4 and cis_v130_2_1_1 controls:
steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1
Run the foundational_security benchmark, but suppress items:
steampipe check benchmark.foundational_security --where "tags ->> 'foundational_security_item_id' != all(ARRAY['cloudformation_1','s3_11'])"
Use plain text and no progress (typical for CI or batch jobs)
steampipe check all --theme=plain --progress=false
Export to html (with default file name)
steampipe check all --export=html
Export to csv with default file name and json as output.json
steampipe check all --export=csv --export=output.json
Export to markdown and json with default file names, asff as output.asff.json
, nunit3 as output.nunit3.xml
steampipe check all --export=md --export=json --export=output.asff.json --export=output.nunit3.xml
Send json output to stdout and pipe to jq
steampipe check all --output=json | jq