benchmark

The benchmark block provides a mechanism for grouping controls or detections into benchmarks, and into sections within a benchmark. For instance, the Powerpipe AWS Compliance mod has separate top-level benchmarks for CIS, NIST, PCI, etc. Each of these benchmarks may have sub-level benchmarks to organize controls in a way that reflects that particular control framework — one for each section or subsection in CIS, one for each CSF Core Function and subcategory for NIST, etc. The Tailpipe AWS Compliance mod works similarly for detections based on the MITRE ATT&CK® framework.

A benchmark may specify control or detection resources, optionally wrapped in benchmark resources as children. This enables you a to create flexible hierarchies of any depth. By default, controls and detections will be grouped with aggregated totals at each benchmark.

You can run benchmarks or refer to them with HCL syntax as {mod}.benchmark.{name}. The name must be unique in the namespace (mod). Typically, controls, detections, and benchmarks in a given benchmark should be named in a way that mimics the hierarchy in order to provide an easy-to-follow structure. This is a convention that should be followed, but not a strict requirement.

You can run controls, detections, and benchmarks with the powerpipe benchmark run, powerpipe control run, and powerpipe detection run commands.

You can view benchmarks as dashboards with the powerpipe server command.

And you can run individual controls or detections with powerpipe control run or powerpipe detection run.

Example Usage

Argument Reference