powerpipe benchmark
List, view, and run Powerpipe benchmarks.
Usage
powerpipe benchmark list [args]powerpipe benchmark show benchmark_name [args]powerpipe benchmark run benchmark_name [args]
Sub-Commands
Command | Description |
---|---|
list | List benchmarks from the current mod and its direct dependents. |
run | Run a benchmark from the current mod or its direct dependents. |
show | Show details of a benchmark from the current mod or its direct dependents. |
powerpipe benchmark list
List benchmarks from the current mod and its direct dependents.
Examples
List benchmarks. Only top-level dashboards are shown for pretty
and plain
output formats:
powerpipe benchmark list
List all benchmarks in JSON
format. All benchmarks (including sub-benchmarks) will be included for json
and yaml
output types:
powerpipe benchmark list --output json
List benchmarks using settings from a workspace:
powerpipe benchmark list --workspace my_workspace
powerpipe benchmark show
Show details of a benchmark from the current mod or its direct dependents.
Examples
Show details of a single benchmark in the current mod:
powerpipe benchmark show cis_v120# orpowerpipe benchmark show benchmark.cis_v120
Show details of a single benchmark in a direct dependency mod:
powerpipe benchmark show aws_compliance.benchmark.cis_v120
Show details of a benchmark in JSON
format:
powerpipe benchmark show cis_v120 --output json
Show details of a benchmark using settings from a workspace:
powerpipe benchmark show cis_v120 -workspace my_workspace
powerpipe benchmark run
Run a benchmark from the current mod or its direct dependents.
Arguments
Flag | Description |
---|---|
--benchmark-timeout int | Set the benchmark execution timeout, in seconds. The default is 0 (no timeout). |
--database | Sets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. See POWERPIPE_DATABASE for details. |
--dry-run | If specified, prints the controls that would be run by the command, but does not execute them. |
--export string | Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff , csv , html , json , md ,nunit3 , pps (snapshot) |
--header string | Specify whether to include column headers in csv output/export (default true ). |
--input | Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false . This is useful when running from scripts. (default true ) |
--max-parallel int | Set the maximum number of database connections to open. When running benchmarks, Powerpipe will attempt to run up to this many controls in parallel. See the POWERPIPE_MAX_PARALLEL environment variable documentation for details. (default 10 ) |
--mod-install | Specify whether to install mod dependencies before running the benchmark (default true ) |
--output string | Select the console output format. Defaults to text. Possible values are brief , csv , html , json , md , pps (snapshot), pretty , plain , none |
--pipes-host | Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details. |
--pipes-token | Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details. |
--progress | Enable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar. |
--query-timeout int | The query timeout, in seconds. The default is 300 . |
--search-path strings | Set a comma-separated list of connections to use as a custom search path for the control run. |
--search-path-prefix strings | Set a comma-separated list of connections to use as a prefix to the current search path for the control run. |
--separator string | A single character to use as a separator string for csv output (defaults to , ) |
--share | Create snapshot in Turbot Pipes with anyone_with_link visibility. |
--snapshot | Create snapshot in Turbot Pipes with the default (workspace ) visibility. |
--snapshot-location string | The location to write snapshots - either a local file path or a Turbot Pipes workspace |
--snapshot-tag string=string | Specify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed. |
--snapshot-title string=string | The title to give a snapshot when uploading to Turbot Pipes. |
--tag string=string | Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true . |
--timing | Turn on the query timer. |
--var string=string | Specify the value of a variable. Multiple --var arguments may be passed. |
--var-file strings | Specify a .ppvar file containing variable values. |
--where | Filter the list of controls to run, using a SQL where clause. |
Output Formats
Format | Description |
---|---|
asff | Findings in asff json format. Only used with AWS controls. |
brief | Text based output that shows only actionable items (errors and alarms) as well as a summary. |
csv | Comma-separated output with full control details. |
html | Single-page HTML output with full control details and group summaries. |
json | Hierarchical json output with full control details and group summaries. |
md | Single-page markdown output with full control details and group summaries. |
none | Don't send any output to stdout. |
nunit3 | Results in nunit3 xml format. |
snapshot | Steampipe snapshot json (alias for pps ) |
pps | Steampipe snapshot json. |
pretty | Full text based output with details and summary. This is the default console output format. |
plain | Full text based output with details and summary, without color. |
Examples
Run a benchmark
powerpipe benchmark run cis_v120
Run all benchmarks defined in the mod. Note that powerpipe benchmark run all
will not run benchmarks in the dependencies:
powerpipe benchmark run all
Run a benchmark, only including controls with specific property values:
powerpipe benchmark run cis_v120 --where "severity in ('critical', 'high')"
Run a benchmark, only including controls with specific tags:
powerpipe benchmark run cis_v120 --tag cis_level=1 --tag cis=true
Run a benchmark against a pipes workspace:
powerpipe benchmark run cis_v120 --workspace acme/anvils
Run a benchmark against a specific database:
powerpipe benchmark run cis_v120 --database postgres://myusername:passworrd@mydbserver.mydomain.com:9193/steampipe
Run a benchmark and upload a snapshot with workspace
visibility in your user workspace.
powerpipe benchmark run cis_v120 --snapshot
Run a benchmark and upload a snapshot with anyone_with_link
visibility in your user workspace.
powerpipe benchmark run cis_v120 --share
Run a benchmark and upload a snapshot with anyone_with_link
visibility to a specific workspace.
powerpipe benchmark run cis_v120 --share --snapshot-location vandelay-industries/latex
Run a benchmark, upload a snapshot with workspace
visibility in your user workspace, and tag the snapshot:
powerpipe benchmark run -cis_v120 -snapshot --snapshot-tag env=local