Powerpipe is now the recommended way to run dashboards and benchmarks! Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:

Controls provide a defined structure and interface for queries that draw a specific conclusion (e.g. 'OK', 'Alarm') about each row (typically, each row represents a single evaluated 'block'). This pattern is common across multiple control benchmarks (CIS, etc) and unit testing benchmarks (JUnit, NUnit, etc).

Controls use queries to gather data, but contain specific metadata and return specific columns with specified values in a specific format.

Example Usage

control "cisv130_2_1_2" {
title = "2.1.2 Ensure S3 Bucket Policy allows HTTPS requests (Manual)"
description = "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS."
documentation = file("docs/cisv130/")
sql = query.s3_bucket_encryption_in_transit_control.sql
tags = {
cloud_provider = "aws"
framework = "cis"
cis_version = "v1.3.0"
cis_item_id = "1.4"
cis_control = "4.3"
cis_type = "automated"
cis_level = "1"

You may run all controls in a group:

# run all the cis controls
steampipe check aws.benchmark.cisv130
# run all cis section 2 controls
steampipe check aws.benchmark.cisv130_2
# run all cis section 2.1 controls
steampipe check aws.benchmark.cisv130_2_1

Argument Reference

argsMapOptionalA map of arguments to pass to the query. The args argument may only be specified for controls that specify the query argument.
descriptionStringOptionalA description of the control.
documentationString (Markdown)OptionalA markdown string containing a long form description, used as documentation for the mod on
paramBlockOptionalA param block that defines the parameters that can be passed in to the control's query. param blocks may only be specified for controls that specify the sql argument.
queryQuery ReferenceOptionalA reference to a query resource that defines the control query to run. The referenced query must conform to the control interface - it must return the required control columns. A control must either specify the query argument or the sql argument, but not both.
severityStringOptionalThe potential impact of given control. Allowed values are none,low,medium,high,critical. The severity names are taken from the Common Vulnerability Scoring System version 3.1: Specification Document. This document may be used as guidance for classifying your controls.
sqlStringRequiredAn SQL string that returns rows that conform to the control interface - it must return the required control columns. A control must either specify the query argument or the sql argument, but not both.
tagsMapOptionalA map of key:value metadata for the benchmark, used to categorize, search, and filter. The structure is up to the mod author and varies by benchmark and provider.
titleStringOptionalDisplay title for the control.

Required Control Columns

ALL controls must specify queries that return rows that contain the following standard columns:

statusStringThe control status for this row. Only the defined control statuses should be used.
reasonStringA description that details WHY the row has the specified status. The reason should always be set, even if the control is in an 'ok' state. It should be a sentence ending with a period.
resourceStringA unique identifier that identifies the targeted resource for this control check. Ideally, this should be a globally unique identifier such as an arn.
Control Statuses
okThe control is compliant for the resource/row.
alarmThe control is not compliant for the resource/row, and should be remediated.
skipThis control was not evaluated because Steampipe was requested to skip it.
infoThis control is not automated. The control may provide instructions to manually verify, and/or may provide additional context.
errorUsed when an error has occurred in calculating the control state.

Additional Control Columns & Dimensions

A control's query MUST return the required columns, but it may also return additional columns. These additional columns are referred to as dimensions, and can be used to specify additional provider-specific columns that are included in control reports and outputs to provide additional context. For example, a benchmark that runs controls against AWS resources may specify dimensions for account_id and region to help locate the evaluated resource. The account_id and region columns will be added as dimensions to the control output for any control whose query returns those columns.