powerpipe benchmark

List, view, and run Powerpipe benchmarks.

Usage

powerpipe benchmark list [args]
powerpipe benchmark show benchmark_name [args]
powerpipe benchmark run benchmark_name [args]

Sub-Commands

CommandDescription
listList benchmarks from the current mod and its direct dependents.
runRun a benchmark from the current mod or its direct dependents.
showShow details of a benchmark from the current mod or its direct dependents.

powerpipe benchmark list

List benchmarks from the current mod and its direct dependents.

Examples

List benchmarks. Only top-level dashboards are shown for pretty and plain output formats:

powerpipe benchmark list

List all benchmarks in JSON format. All benchmarks (including sub-benchmarks) will be included for json and yaml output types:

powerpipe benchmark list --output json

List benchmarks using settings from a workspace:

powerpipe benchmark list --workspace my_workspace

powerpipe benchmark show

Show details of a benchmark from the current mod or its direct dependents.

Examples

Show details of a single benchmark in the current mod:

powerpipe benchmark show cis_v120
# or
powerpipe benchmark show benchmark.cis_v120

Show details of a single benchmark in a direct dependency mod:

powerpipe benchmark show aws_compliance.benchmark.cis_v120

Show details of a benchmark in JSON format:

powerpipe benchmark show cis_v120 --output json

Show details of a benchmark using settings from a workspace:

powerpipe benchmark show cis_v120 -workspace my_workspace

powerpipe benchmark run

Run a benchmark from the current mod or its direct dependents.

Arguments

FlagDescription
--benchmark-timeout intSet the benchmark execution timeout, in seconds. The default is 0 (no timeout).
--databaseSets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. See POWERPIPE_DATABASE for details.
--dry-runIf specified, prints the controls that would be run by the command, but does not execute them.
--export stringExport control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,nunit3, pps (snapshot)
--header stringSpecify whether to include column headers in csv output/export (default true).
--inputEnable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false. This is useful when running from scripts. (default true)
--max-parallel intSet the maximum number of database connections to open. When running benchmarks, Powerpipe will attempt to run up to this many controls in parallel. See the POWERPIPE_MAX_PARALLEL environment variable documentation for details. (default 10)
--mod-installSpecify whether to install mod dependencies before running the benchmark (default true)
--output stringSelect the console output format. Defaults to text. Possible values are brief, csv, html, json, md, pps (snapshot), pretty, plain, none
--pipes-hostSets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details.
--pipes-tokenSets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details.
--progressEnable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar.
--query-timeout intThe query timeout, in seconds. The default is 300.
--search-path stringsSet a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix stringsSet a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator stringA single character to use as a separator string for csv output (defaults to ,)
--shareCreate snapshot in Turbot Pipes with anyone_with_link visibility.
--snapshotCreate snapshot in Turbot Pipes with the default (workspace) visibility.
--snapshot-location stringThe location to write snapshots - either a local file path or a Turbot Pipes workspace
--snapshot-tag string=stringSpecify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed.
--snapshot-title string=stringThe title to give a snapshot when uploading to Turbot Pipes.
--tag string=stringFilter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--timingTurn on the query timer.
--var string=stringSpecify the value of a variable. Multiple --var arguments may be passed.
--var-file stringsSpecify a .ppvar file containing variable values.
--whereFilter the list of controls to run, using a SQL where clause.

Output Formats

FormatDescription
asffFindings in asff json format. Only used with AWS controls.
briefText based output that shows only actionable items (errors and alarms) as well as a summary.
csvComma-separated output with full control details.
htmlSingle-page HTML output with full control details and group summaries.
jsonHierarchical json output with full control details and group summaries.
mdSingle-page markdown output with full control details and group summaries.
noneDon't send any output to stdout.
nunit3Results in nunit3 xml format.
snapshotSteampipe snapshot json (alias for pps)
ppsSteampipe snapshot json.
prettyFull text based output with details and summary. This is the default console output format.
plainFull text based output with details and summary, without color.

Examples

Run a benchmark

powerpipe benchmark run cis_v120

Run all benchmarks defined in the mod. Note that powerpipe benchmark run all will not run benchmarks in the dependencies:

powerpipe benchmark run all

Run a benchmark, only including controls with specific property values:

powerpipe benchmark run cis_v120 --where "severity in ('critical', 'high')"

Run a benchmark, only including controls with specific tags:

powerpipe benchmark run cis_v120 --tag cis_level=1 --tag cis=true

Run a benchmark against a pipes workspace:

powerpipe benchmark run cis_v120 --workspace acme/anvils

Run a benchmark against a specific database:

powerpipe benchmark run cis_v120 --database postgres://myusername:passworrd@mydbserver.mydomain.com:9193/steampipe

Run a benchmark and upload a snapshot with workspace visibility in your user workspace.

powerpipe benchmark run cis_v120 --snapshot

Run a benchmark and upload a snapshot with anyone_with_link visibility in your user workspace.

powerpipe benchmark run cis_v120 --share

Run a benchmark and upload a snapshot with anyone_with_link visibility to a specific workspace.

powerpipe benchmark run cis_v120 --share --snapshot-location vandelay-industries/latex

Run a benchmark, upload a snapshot with workspace visibility in your user workspace, and tag the snapshot:

powerpipe benchmark run -cis_v120 -snapshot --snapshot-tag env=local