powerpipe benchmark

List, view, and run Powerpipe benchmarks.

Usage

powerpipe benchmark list [args]
powerpipe benchmark show benchmark_name [args]
powerpipe benchmark run benchmark_name [args]

Sub-Commands

Command	Description
list	List benchmarks from the current mod and its direct dependents.
run	Run a benchmark from the current mod or its direct dependents.
show	Show details of a benchmark from the current mod or its direct dependents.

powerpipe benchmark list

List benchmarks from the current mod and its direct dependents.

Examples

List benchmarks. Only top-level dashboards are shown for pretty and plain output formats:

powerpipe benchmark list

List all benchmarks in JSON format. All benchmarks (including sub-benchmarks) will be included for json and yaml output types:

powerpipe benchmark list --output json

List benchmarks using settings from a workspace:

powerpipe benchmark list --workspace my_workspace

powerpipe benchmark show

Show details of a benchmark from the current mod or its direct dependents.

Examples

Show details of a single benchmark in the current mod:

powerpipe benchmark show cis_v120
# or
powerpipe benchmark show benchmark.cis_v120

Show details of a single benchmark in a direct dependency mod:

powerpipe benchmark show aws_compliance.benchmark.cis_v120

Show details of a benchmark in JSON format:

powerpipe benchmark show cis_v120 --output json

Show details of a benchmark using settings from a workspace:

powerpipe benchmark show cis_v120 -workspace my_workspace

powerpipe benchmark run

Run a benchmark from the current mod or its direct dependents.

Arguments

Flag	Description
`--benchmark-timeout int`	Set the benchmark execution timeout, in seconds. The default is `0` (no timeout).
`--database`	Sets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. See POWERPIPE_DATABASE for details.
`--dry-run`	If specified, prints the controls that would be run by the command, but does not execute them.
`--export string`	Export control output to a file. You may export multiple output formats for a single control run by entering multiple `--export` arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are `asff`, `csv`, `html`, `json`, `md`,`nunit3`, `pps` (snapshot)
`--header string`	Specify whether to include column headers in csv output/export (default `true`).
`--input`	Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use `--input=false`. This is useful when running from scripts. (default `true`)
`--max-parallel int`	Set the maximum number of database connections to open. When running benchmarks, Powerpipe will attempt to run up to this many controls in parallel. See the `POWERPIPE_MAX_PARALLEL` environment variable documentation for details. (default `10`)
`--mod-install`	Specify whether to install mod dependencies before running the benchmark (default `true`)
`--output string`	Select the console output format. Defaults to text. Possible values are `brief`, `csv`, `html`, `json`, `md`, `pps` (snapshot), `pretty`, `plain`, `none`
`--pipes-host`	Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details.
`--pipes-token`	Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details.
`--progress`	Enable or disable progress information. By default, progress information is shown - set `--progress=false` to hide the progress bar.
`--query-timeout int`	The query timeout, in seconds. The default is `300`.
`--search-path strings`	Set a comma-separated list of connections to use as a custom search path for the control run.
`--search-path-prefix strings`	Set a comma-separated list of connections to use as a prefix to the current search path for the control run.
`--separator string`	A single character to use as a separator string for csv output (defaults to `,`)
`--share`	Create snapshot in Turbot Pipes with `anyone_with_link` visibility.
`--snapshot`	Create snapshot in Turbot Pipes with the default (`workspace`) visibility.
`--snapshot-location string`	The location to write snapshots - either a local file path or a Turbot Pipes workspace
`--snapshot-tag string=string`	Specify tags to set on the snapshot. Multiple `--snapshot-tag` arguments may be passed.
`--snapshot-title string=string`	The title to give a snapshot when uploading to Turbot Pipes.
`--tag string=string`	Filter the list of controls to run by one or more tag values. Multiple `--tag` arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, `steampipe check all --tag pci=true --tag service=ec2 --tag service=iam` will run only controls with a `service` tag equal to either `ec2` or `iam` that also are tagged with `pci=true`.
`--timing`	Turn on the query timer.
`--var string=string`	Specify the value of a variable. Multiple `--var` arguments may be passed.
`--var-file strings`	Specify a `.ppvar` file containing variable values.
`--where`	Filter the list of controls to run, using a SQL `where` clause.

Output Formats

Format	Description
`asff`	Findings in asff json format. Only used with AWS controls.
`brief`	Text based output that shows only actionable items (errors and alarms) as well as a summary.
`csv`	Comma-separated output with full control details.
`html`	Single-page HTML output with full control details and group summaries.
`json`	Hierarchical json output with full control details and group summaries.
`md`	Single-page markdown output with full control details and group summaries.
`none`	Don't send any output to stdout.
`nunit3`	Results in nunit3 xml format.
`snapshot`	Steampipe snapshot json (alias for `pps`)
`pps`	Steampipe snapshot json.
`pretty`	Full text based output with details and summary. This is the default console output format.
`plain`	Full text based output with details and summary, without color.

Examples

Run a benchmark

powerpipe benchmark run cis_v120

Run all benchmarks defined in the mod. Note that powerpipe benchmark run all will not run benchmarks in the dependencies:

powerpipe benchmark run all

Run a benchmark, only including controls with specific property values:

powerpipe benchmark run cis_v120 --where "severity in ('critical', 'high')"

Run a benchmark, only including controls with specific tags:

powerpipe benchmark run cis_v120  --tag cis_level=1 --tag cis=true

Run a benchmark against a pipes workspace:

powerpipe benchmark run cis_v120 --workspace acme/anvils

Run a benchmark against a specific database:

powerpipe benchmark run cis_v120 --database  postgres://myusername:passworrd@mydbserver.mydomain.com:9193/steampipe

Run a benchmark and upload a snapshot with workspace visibility in your user workspace.

powerpipe benchmark run cis_v120 --snapshot

Run a benchmark and upload a snapshot with anyone_with_link visibility in your user workspace.

powerpipe benchmark run cis_v120 --share

Run a benchmark and upload a snapshot with anyone_with_link visibility to a specific workspace.

powerpipe benchmark run cis_v120 --share  --snapshot-location vandelay-industries/latex

Run a benchmark, upload a snapshot with workspace visibility in your user workspace, and tag the snapshot:

powerpipe benchmark run -cis_v120 -snapshot --snapshot-tag env=local