Changelog

What's new?

• Added NYDFS 23 benchmark (powerpipe benchmark run aws_compliance.benchmark.nydfs_23). (#844)

What's new?

• Added CIS v3.0.0 benchmark (powerpipe benchmark run azure_compliance.benchmark.cis_v300). (#282)

Bug fixes

• Fixed the elb_application_lb_waf_enabled query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840)
• Fixed the cloudfront_distribution_custom_origins_encryption_in_transit_enabled query to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!)
• Fixed the where clause of the cloudfront_distribution_use_secure_cipher query to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)

Bug Fixes

• Cleaned up documentation and standardized the file naming conventions of *.ppvars.example files across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:
  • steampipe-mod-alicloud-compliance
  • steampipe-mod-aws-perimeter
  • steampipe-mod-aws-tags
  • steampipe-mod-aws-thrifty
  • steampipe-mod-aws-top-10
  • steampipe-mod-azure-compliance
  • steampipe-mod-azure-tags
  • steampipe-mod-azure-thrifty
  • steampipe-mod-digitalocean-thrifty
  • steampipe-mod-docker-compliance
  • steampipe-mod-gcp-compliance
  • steampipe-mod-gcp-labels
  • steampipe-mod-gcp-thrifty
  • steampipe-mod-github-compliance
  • steampipe-mod-kubernetes-compliance
  • steampipe-mod-microsoft365-compliance
  • steampipe-mod-net-insights
  • steampipe-mod-oci-compliance
  • steampipe-mod-oci-thrifty
  • steampipe-mod-snowflake-compliance
  • steampipe-mod-terraform-aws-compliance
  • steampipe-mod-terraform-azure-compliance
  • steampipe-mod-terraform-gcp-compliance
  • steampipe-mod-terraform-oci-compliance

What's new?

• Added CIS v4.0.0 benchmark (steampipe check benchmark.cis_v400). (#836)
• Added ebs_encryption_by_default_enabled and vpc_security_group_restrict_ingress_cifs_port_all controls to the All Controls benchmark. (#835)

Enhancements

• Added the ebs_encryption_by_default_enabled control to the rbi_cyber_security_annex_i_1_3 benchmark. (#835)
• Set python3.8 as deprecated Lambda runtime in lambda_function_use_latest_runtime control. (#833) (Thanks to @sbldevnet for the contribution!)
• Updated iam_access_analyzer_enabled_without_findings and ssm_document_prohibit_public_access controls to use latest columns and tables from the AWS plugin. (#835)

Bug fixes

• VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. (#835)
• Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
• Fixed the fedramp_moderate_rev_4_sc_28 benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)

Deprecated

• Deprecated the ec2_ebs_default_encryption_enabled control and query. Please use the ebs_encryption_by_default control and query instead.

We're excited to announce the v1.0.0 release of 43 Powerpipe mods!

These mods now require Powerpipe. Steampipe users should check the migration guide.

Whats new

• connection resource to manage credentials. Documentation.
• database property has been added to mod. A database can be a connection reference, connection string, or Pipes workspace to query.

Deprecations

• Deprecated database CLI arg. See Setting the Database for the new syntax to set the database.
• Deprecated POWERPIPE_DATABASE env var. See Setting the Database for the new syntax to set the database.
• Deprecated database workspace profile arg. See Setting the Database for the new syntax to set the database.

Bug fixes

• Fixed the issue where the search path setting was not retained while navigating to a different dashboard. (#325)

What's new?

• Initial release with support for installing Powerpipe and adding it to $PATH.

What's new?

• Initial release with support for running Powerpipe benchmarks and controls, creating annotations for Infrastructure as Code (IaC) checks, and uploading snapshots to Turbot Pipes.

What's new?

• Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight). (#823)

Enhancements

• The VPC Security Group detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)
  • Amazon MQ broker
  • ECS service
  • ECS task

What's new?

• Added SOC2 2017 benchmark (powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017). (#181)

Whats new

• Added JSON extension support for DuckDB backends. (#467)

Bug fixes

• Fixed the incorrect mod reference in the output of powerpipe help command. (#471)

Whats new

• Recompiled CLI with Go v1.22. (#448)

Bug fixes

• Fixed issue where CLI notifications interfered with the Powerpipe JSON outputs resulting in invalid JSON outputs. (#452)
• Fixed an issue where Powerpipe crashed when running a benchmark with the --dry-run flag set. (#455)

What's new?

• Added CIS AWS Compute Services v1.0.0 benchmark (powerpipe benchmark run aws_compliance.benchmark.cis_compute_service_v100). (#814)

Bug fixes

• Fixed iam_root_user_hardware_mfa_enabled query to correctly return ok when hardware MFA is enabled for the root user. (#815)

Enhancements

• Added the following controls to the All Controls benchmark: (#176)
  • alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
  • alloydb_instance_log_min_error_statement_database_flag_configured
  • alloydb_instance_log_min_messages_database_flag_error

Enhancements

• Added the following controls to the All Controls benchmark: (#274)
  • application_gateway_waf_uses_specified_mode
  • application_insights_block_log_ingestion_and_querying_from_public
  • log_analytics_workspace_block_log_ingestion_and_querying_from_public
  • log_analytics_workspace_block_non_azure_ingestion

Bug fixes

• Fixed the storage_account_block_public_access query to correctly check if the public_network_access column of the azure_storage_account table is correctly set to disabled or not as per the CIS documentation. (#277)

What's new?

• Added NIST 800-172 benchmark (powerpipe benchmark run aws_compliance.benchmark.nist_800_172). (#807)

Bug fixes

• Fixed sqs_queue_encrypted_at_rest query to ensure queues using SQS-SSE encryption at rest remain in an ok state instead of alarm. (#805) (Thanks @duncward for the contribution!)

Bug fixes

• Fixed the issue where the --arg flag was not working for control and query runs. (#439)
• Fixed data inconsistency issue in snapshot output when the same control was included in multiple benchmarks. (#436)

Enhancements

• Optimized log_group_metric_* queries to minimize API usage, achieving faster performance. (#802)

What's new?

• Added FedRAMP High benchmark (powerpipe benchmark run azure_compliance.benchmark.fedramp_high). (#270)

Whats new

• Updated JSON and snapshot output to handle duplicate column names - append a unique suffix to duplicate column names. (#375)

Bug fixes

• Fixed bug when generating a snapshot from a benchmark run, the row data is empty if any of the rows are in error. (#366)
• Updated mod install to only install or update mods which are command targets (and their dependencies). Set default pull mode for install is latest if there is a target, and minimal if no target is given. (#381)
• Fixed incorrect help message for output in powerpipe benchmark/control run. (#367)
• Fixed issue where POWERPIPE_PORT env var was not being honoured. (#362)
• Updated timing metadata output to rename duration field to duration_ms for consistency with steampipe. (#368)
• Dashboard graph should not crash if an invalid edge category color is provided. (#364)
• Dashboard flow/hierarchy components should show panel controls. (#363)

Updated output formats

The rows property in the JSON and snapshot output will now have unique column names for duplicate column names. The columns property will have the original column name as original_name. For example, for the query:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps

Here is the updated JSON output:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json
{
 "columns": [
  {
   "name": "title",
   "data_type": "text"
  },
  {
   "name": "title_t5zj1",
   "data_type": "text",
   "original_name": "title"
  },
  {
   "name": "title_t5zj2",
   "data_type": "text",
   "original_name": "title"
  }
 ],
 "rows": [
  {
   "title": "arn:aws:::882789663776",
   "title_t5zj1": "882789663776",
   "title_t5zj2": "882789663776"
  },
 ],
 "metadata": {
  "rows_returned": 3,
  "duration_ms": "202ms"
 }
}

Here is the updated snapshot output:

{
  "schema_version": "20240130",
  "panels": {
    "custom.dashboard.sql_e5br7b82": {
      "dashboard": "custom.dashboard.sql_e5br7b82",
      "name": "custom.dashboard.sql_e5br7b82",
      "panel_type": "dashboard",
      "source_definition": "",
      "status": "complete",
      "title": "Custom query [e5br7b82]"
    },
    "custom.table.results": {
      "dashboard": "custom.dashboard.sql_e5br7b82",
      "name": "custom.table.results",
      "panel_type": "table",
      "source_definition": "",
      "status": "complete",
      "sql": " select arn as title, account_id as title, title as title from aws_account",
      "properties": {
        "name": "results"
      },
      "data": {
        "columns": [
          {
            "name": "title",
            "data_type": "TEXT"
          },
          {
            "name": "title_t5zj1",
            "data_type": "TEXT",
            "original_name": "title"
          },
          {
            "name": "title_t5zj2",
            "data_type": "TEXT",
            "original_name": "title"
          }
        ],
        "rows": [
          {
            "title": "arn:aws:::876515858155",
            "title_t5zj1": "876515858155",
            "title_t5zj2": "morales-aaa"
          },
          {
            "title": "arn:aws:::882789663776",
            "title_t5zj1": "882789663776",
            "title_t5zj2": "882789663776"
          },
          {
            "title": "arn:aws:::097350876455",
            "title_t5zj1": "097350876455",
            "title_t5zj2": "turbot-silverwater"
          }
        ]
      }
    }
  },
  "inputs": {},
  "variables": {},
  "search_path": null,
  "start_time": "2024-06-06T14:50:16.906739+01:00",
  "end_time": "2024-06-06T14:50:16.991955+01:00",
  "layout": {
    "name": "custom.dashboard.sql_e5br7b82",
    "children": [
      {
        "name": "custom.table.results",
        "panel_type": "table"
      }
    ],
    "panel_type": "dashboard"
  }
}

What's new?

• Added NIST Cybersecurity Framework (CSF) v1.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v10). (#168)
• Added NIST 800-53 Revision 5 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_800_53_rev_5). (#168)

Bug fixes

• Fixed the kms_key_users_limited_to_3 query to correctly return data by removing the hardcoded GCP connection name. (#170)
• Fixed the logging_bucket_retention_policy_enabled query to correctly return data by adding the missing project column to the query. (#173)

What's new?

• Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)

What's new?

• Added HIPAA benchmark (powerpipe benchmark run gcp_compliance.benchmark.hipaa). (#165)
• Added PCI DSS v3.2.1 benchmark (powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321). (#163)

Enhancements

• Optimized several queries to minimize API usage, achieving faster performance. (#162)

What's new?

• Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017). (#267)

Bug fixes

• Respect the app version defined powerpipe block of the mod require block. (#405)
• Dashboard UI should handle graph categories containing resource_name rather than name. (#360)

Enhancements

• Added runtime variable support for control lambda_function_use_latest_runtime. (#791)

Bug fixes

• Fixed the ecr_repository_image_scan_on_push_enabled query to use the correct common dimensions. (#793)

What's new?

• Added NIST SP 800-171 Revision 2 benchmark (powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2). (#264)

What's new?

• New dashboards added:
  • Turbot Guardrails Workspace Report for Admin
• New benchmark added:
  • Turbot Guardrails Workspace Health

Enhancements

• Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AliCloud v0.22.0 or higher. (#95)

Whats new

• Added support for installing mods from a branch or from the local file system. (#285)

  To install from a branch:

  powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main

  To reference a mod in the local file system:

  powerpipe mod install ../mods/local_mod_folder

• Added --pull flag to mod, dashboard and benchmark commands to control the mod update strategy. (#352). Possible update strategies are:

  • full - check branch and tags for both latest and accuracy
  • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
  • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
  • minimal - only update broken constraints, do not check branches for new commits

Enhancements

• Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to GCP v0.52.0 or higher. (#78)

Enhancements

• Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to Azure v0.56.0 or higher. (#124)

Enhancements

• Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AWS v0.136.0 or higher. (#347)

Whats new

• It is now possible to set a timeout for benchmark and dashboard execution. These can be set:
  • In the workspace using properties: dashboard_timeout and benchmark_timeout
  • Using the --dashboard-timeout flag for the dashboard run and server commands
  • Using the --benchmark-timeout flag for the benchmark run commands.
  • Using the environment variables POWERPIPE_DASHBOARD_TIMEOUT and POWERPIPE_BENCHMARK_TIMEOUT respectively. (#336)
• Support installing private mods using a GitHub app token. (#381).
• Improve the layout of filter and grouping components for control tags and dimensions. (#263)
• Remove the dashboard input list and dashboard input show commands.
• Add thousands separator to numeric values in dashboard tables. (#315)
• Only show benchmark cards for statuses that are contained in the current filter and add status to filter on card click. (#322)

Bug fixes

• When calling mod update, respect the argument (if any) and only update specified mods. (#331)
• Fix mod update display of updates to transitive dependencies. (#288)

Enhancements

• Updated the workspace_dashboard dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)
• Updated the workspace_account_report dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)

Enhancements

• Optimized several queries to minimize API usage, achieving faster performance. (#786)

What's new?

• Added CIS v3.0.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.cis_v300). (#158)

Bug fixes

• Updated the foundational_security_lambda_2 control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)
• Fixed the title of secretsmanager_secret_unused_90_day control. (#783)

Enhancements

• Added the following controls to the All Controls benchmark: (#253)
  • cosmosdb_account_uses_aad_and_rbac
  • iam_user_not_allowed_to_create_tenants
  • securitycenter_image_scan_enabled

Bug fixes

• Updated the postgres_db_server_allow_access_to_azure_services_disabled query to check if the endIpAddress column is set to 0.0.0.0 instead of 255.255.255.255 as per the CIS documentation. (#253)

What's new?

• New control added:
  • rds_mysql_postresql_db_no_unsupported_version (#174)

Bug fixes

• Fixed the ecs_cluster_active_service_count query in the AWS ECS Cluster Dashboard to correctly return the count of Cluster Active Services instead of ECS Clusters. (#341) (Thanks @mupi2k for the contribution!)

Breaking changes

• The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
  • The foundational_security_elbv2 sub-benchmark have been removed.
  • The following controls are no longer included in the benchmarks:
    • foundational_security_cloudfront_2
    • foundational_security_ec2_22
    • foundational_security_s3_4

Enhancements

• The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
  • The following sub-benchmarks have been added to the foundational_security benchmark:
    • foundational_security_appsync
    • foundational_security_backup
    • foundational_security_eventbridge
    • foundational_security_fsx
    • foundational_security_msk
    • foundational_security_pca
    • foundational_security_route53
    • foundational_security_sfn
  • The following controls have been added to the benchmarks:
    • foundational_security_acm_2
    • foundational_security_appsync_2
    • foundational_security_backup_1
    • foundational_security_cloudfront_13
    • foundational_security_dms_6
    • foundational_security_dms_7
    • foundational_security_dms_8
    • foundational_security_dms_9
    • foundational_security_docdb_3
    • foundational_security_docdb_4
    • foundational_security_docdb_5
    • foundational_security_dms_9
    • foundational_security_dynamodb_6
    • foundational_security_ec2_51
    • foundational_security_ecs_9
    • foundational_security_eks_8
    • foundational_security_elasticbeanstalk_3
    • foundational_security_emr_2
    • foundational_security_eventbridge_3
    • foundational_security_fsx_1
    • foundational_security_msk_1
    • foundational_security_networkfirewall_2
    • foundational_security_networkfirewall_9
    • foundational_security_opensearch_10
    • foundational_security_pca_1
    • foundational_security_rds_34
    • foundational_security_rds_35
    • foundational_security_route53_2
    • foundational_security_s3_19
    • foundational_security_sfn_1
    • foundational_security_waf_12

Bug fixes

• Fixed the project_license_table, project_other_license_count and project_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#13)

Bug fixes

• Fixed the repository_license_table, repository_other_license_count and repository_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#25)

Bug fixes

• Fixed the CIS controls from cis_v200_2_4 to cis_v200_2_11 to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)

Bug fixes

• When exporting or displaying a benchmark run result as a snapshot, ensure the top level panel has a valid summary. (#274)
• Update mod list output to include resource_name and mod fields.

What's new?

• Added CIS v2.1.0 benchmark (powerpipe benchmark run azure_compliance.benchmark.cis_v210). (#250)

Whats new

• Optimize workspace load time for large workspaces with multiple dependent mods. (#365)

Bug fixes

• Fix CLI available version check. (#250)
• Notify when mod install creates a default mod. (#246)
• Remove newline from end of mod install output. (#247)
• Fix issue where asff output was always missing the first row. (#249)

We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!

A full list of mods can be found in the Powerpipe Hub.

For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.

Introducing Powerpipe - Dashboards for DevOps.

Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.

Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.

Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.

Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!

Learn more at:

• Website - https://powerpipe.io
• Docs - https://powerpipe.io/docs
• Hub - https://hub.powerpipe.io
• Introduction - https://powerpipe.io/blog/introducing-powerpipe