steampipe check

Powerpipe is now the recommended way to run dashboards and benchmarks! Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:
Steampipe Unbundled →
Powerpipe for Steampipe users →

Execute one or more Steampipe benchmarks and controls.

You may specify one or more benchmarks or controls to run, or run steampipe check all to run all controls in the workspace.

Usage

Run benchmarks/controls:

steampipe check [item,item,...] [flags]

List available benchmarks:

steampipe check list

Flags:

Argument	Description
`--cloud-host`	Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. DEPRECATED - Use `--pipes-host`.
`--cloud-token`	Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. DEPRECATED - Use `--pipes-token`.
`--dry-run`	If specified, prints the controls that would be run by the command, but does not execute them.
`--export string`	Export control output to a file. You may export multiple output formats for a single control run by entering multiple `--export` arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are `asff`, `csv`, `html`, `json`, `md`,`nunit3`, `sps (snapshot)`
`--header string`	Specify whether to include column headers in csv output/export (default `true`).
`--help`	Help for `steampipe check.`
`--input`	Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use `--input=false`. This is useful when running from scripts. (default true)
`--max-parallel integer`	Set the maximum number of database connections to open. When running steampipe check, Steampipe will attempt to run up to this many controls in parallel. See the STEAMPIPE_MAX_PARALLEL environment variable documentation for details. (default `10`)
`--mod-install`	Specify whether to install mod dependencies before running the check (default true)
`--mod-location`	Sets the Steampipe workspace working directory. If not specified, the workspace directory will be set to the current working directory. See STEAMPIPE_MOD_LOCATION for details.
`--output string`	Select the console output format. Defaults to `text`. Possible values are `brief, csv, html, json, md, sps (snapshot), text, none`
`--pipes-host`	Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details.
`--pipes-token`	Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details.
`--progress`	Enable or disable progress information. By default, progress information is shown - set `--progress=false` to hide the progress bar.
`--query-timeout int`	The query timeout, in seconds. The default is `240`.
`--search-path strings`	Set a comma-separated list of connections to use as a custom search path for the control run.
`--search-path-prefix strings`	Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
`--separator string`	A single character to use as a separator string for csv output (defaults to ",")
`--share`	Create snapshot in Turbot Pipes with `anyone_with_link` visibility.
`--snapshot`	Create snapshot in Turbot Pipes with the default (`workspace`) visibility.
`--snapshot-location string`	The location to write snapshots - either a local file path or a Turbot Pipes workspace
`--snapshot-tag string=string`	Specify tags to set on the snapshot. Multiple `--snapshot-tag` arguments may be passed.
`--snapshot-title string=string`	The title to give a snapshot when uploading to Turbot Pipes.
`--tag string=string`	Filter the list of controls to run by one or more tag values. Multiple `--tag` arguments may be passed. Discrete keys are `and'ed` and duplicate keys are `or'ed`. For example, `steampipe check all --tag pci=true --tag service=ec2 --tag service=iam` will run only controls with a `service` tag equal to either `ec2` or `iam` that also are tagged with `pci=true`.
`--theme`	Select output theme (color scheme, etc). Defaults to `dark`. Possible values are `light,dark, plain`
`--timing`	Turn on the query timer.
`--var string=string`	Specify the value of a mod variable. Multiple `--var` arguments may be passed.
`--var-file string`	Specify an .spvars file containing mod variable values.
`--where`	Filter the list of controls to run, using a sql `where` clause against the `steampipe_control` reflection table.
`--workspace-database`	Sets the database that Steampipe will connect to. This can be `local` (the default) or a remote Turbot Pipes database. See STEAMPIPE_WORKSPACE_DATABASE for details.

Output Formats

Format	Description
`asff`	Findings in asff json format. Only used with AWS controls.
`brief`	Text based output that shows only actionable items (errors and alarms) as well as a summary.
`csv`	Comma-separated output with full control details.
`html`	Single-page HTML output with full control details and group summaries.
`json`	Hierarchical json output with full control details and group summaries.
`md`	Single-page markdown output with full control details and group summaries.
`none`	Don't send any output to stdout.
`nunit3`	Results in nunit3 xml format.
`snapshot`	Steampipe snapshot json (alias for `sps`)
`sps`	Steampipe snapshot json.
`text`	Full text based output with details and summary. This is the default console output format.

Examples

Run all controls:

steampipe check all

List the benchmarks available to run in the current mod context:

steampipe check list

Run the cis_v130 benchmark:

steampipe check benchmark.cis_v130

Run a benchmark and save a snapshot:

steampipe check --snapshot benchmark.cis_v130

Run a benchmark and share a snapshot:

steampipe check --share benchmark.cis_v130

Only show "failed" items (alarm, error)

steampipe check all --output=brief

Run all controls and pass variable values on the command line:

steampipe check all --var='mandatory_tags=["Owner","Application","Environment"]' --var='sensitive_tags=["password","key"]'

Run all controls and pass a .spvars file that contains variable values to use

steampipe check all --var-file='tags.spvars'

Run the controls that have tags cis_level=1 and cis=true:

steampipe check all --tag cis_level=1 --tag cis=true

Preview the controls that would run in the cis_v130 benchmark with the cis_level=1 tag filter:

steampipe check benchmark.cis_v130 --tag cis_level=1 --dry-run

Run controls with the a benchmark=pci tag that are either high or critical severity:

steampipe check all --where "severity in ('critical', 'high') and tags ->> 'pci' = 'true'"

Run the cis_v130 benchmark with light mode output:

steampipe check benchmark.cis_v130 --theme=light

Run the cis_v130_1_4 and cis_v130_2_1_1 controls:

steampipe check control.cis_v130_1_4 control.cis_v130_2_1_1

Run the foundational_security benchmark, but suppress items:

steampipe check benchmark.foundational_security --where "tags ->> 'foundational_security_item_id' !=  all(ARRAY['cloudformation_1','s3_11'])"

Use plain text and no progress (typical for CI or batch jobs)

steampipe check all --theme=plain --progress=false

Export to html (with default file name)

steampipe check all --export=html

Export to csv with default file name and json as output.json

steampipe check all --export=csv --export=output.json

Export to markdown and json with default file names, asff as output.asff.json, nunit3 as output.nunit3.xml

steampipe check all --export=md --export=json --export=output.asff.json --export=output.nunit3.xml

Send json output to stdout and pipe to jq

steampipe check all --output=json | jq