powerpipe benchmark
List, view, and run Powerpipe benchmarks.
Usage
powerpipe benchmark list [args]powerpipe benchmark show benchmark_name [args]powerpipe benchmark run benchmark_name [args]
Sub-Commands
Command | Description |
---|---|
list | List benchmarks from the current mod and its direct dependents. |
run | Run a benchmark from the current mod or its direct dependents. |
show | Show details of a benchmark from the current mod or its direct dependents. |
powerpipe benchmark list
List benchmarks from the current mod and its direct dependents.
Examples
List benchmarks. Only top-level dashboards are shown for pretty
and plain
output formats:
powerpipe benchmark list
List all benchmarks in JSON
format. All benchmarks (including sub-benchmarks) will be included for json
and yaml
output types:
powerpipe benchmark list --output json
List benchmarks using settings from a workspace:
powerpipe benchmark list --workspace my_workspace
powerpipe benchmark show
Show details of a benchmark from the current mod or its direct dependents.
Examples
Show details of a single benchmark in the current mod:
powerpipe benchmark show cis_v120# orpowerpipe benchmark show benchmark.cis_v120
Show details of a single benchmark in a direct dependency mod:
powerpipe benchmark show aws_compliance.benchmark.cis_v120
Show details of a benchmark in JSON
format:
powerpipe benchmark show cis_v120 --output json
Show details of a benchmark using settings from a workspace:
powerpipe benchmark show cis_v120 -workspace my_workspace
powerpipe benchmark run
Run a benchmark from the current mod or its direct dependents.
Arguments
Flag | Description |
---|---|
--benchmark-timeout int | Set the benchmark execution timeout, in seconds. The default is 0 (no timeout). |
--database | DEPRECATED - See Setting the Database for the new syntax. Sets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. |
--dry-run | If specified, prints the controls that would be run by the command, but does not execute them. |
--export string | Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff , csv , html , json , md ,nunit3 , pps (snapshot) |
--header string | Specify whether to include column headers in csv output/export (default true ). |
--input | Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false . This is useful when running from scripts. (default true ) |
--max-parallel int | Set the maximum number of database connections to open. When running benchmarks, Powerpipe will attempt to run up to this many controls in parallel. See the POWERPIPE_MAX_PARALLEL environment variable documentation for details. (default 10 ) |
--mod-install | Specify whether to install mod dependencies before running the benchmark (default true ) |
--output string | Select the console output format. Defaults to text. Possible values are brief , csv , html , json , md , pps (snapshot), pretty , plain , none |
--pipes-host | Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details. |
--pipes-token | Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details. |
--progress | Enable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar. |
--query-timeout int | The query timeout, in seconds. The default is 300 . |
--search-path strings | Set a comma-separated list of connections to use as a custom search path for the control run. |
--search-path-prefix strings | Set a comma-separated list of connections to use as a prefix to the current search path for the control run. |
--separator string | A single character to use as a separator string for csv output (defaults to , ) |
--share | Create snapshot in Turbot Pipes with anyone_with_link visibility. |
--snapshot | Create snapshot in Turbot Pipes with the default (workspace ) visibility. |
--snapshot-location string | The location to write snapshots - either a local file path or a Turbot Pipes workspace |
--snapshot-tag string=string | Specify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed. |
--snapshot-title string=string | The title to give a snapshot when uploading to Turbot Pipes. |
--tag string=string | Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true . |
--timing | Turn on the query timer. |
--var string=string | Specify the value of a variable. Multiple --var arguments may be passed. |
--var-file strings | Specify a .ppvar file containing variable values. |
--where | Filter the list of controls to run, using a SQL where clause. |
Output Formats
Format | Description |
---|---|
asff | Findings in asff json format. Only used with AWS controls. |
brief | Text based output that shows only actionable items (errors and alarms) as well as a summary. |
csv | Comma-separated output with full control details. |
html | Single-page HTML output with full control details and group summaries. |
json | Hierarchical json output with full control details and group summaries. |
md | Single-page markdown output with full control details and group summaries. |
none | Don't send any output to stdout. |
nunit3 | Results in nunit3 xml format. |
snapshot | Steampipe snapshot json (alias for pps ) |
pps | Steampipe snapshot json. |
pretty | Full text based output with details and summary. This is the default console output format. |
plain | Full text based output with details and summary, without color. |
Examples
Run a benchmark
powerpipe benchmark run cis_v120
Run all benchmarks defined in the mod. Note that powerpipe benchmark run all
will not run benchmarks in the dependencies:
powerpipe benchmark run all
Run a benchmark, only including controls with specific property values:
powerpipe benchmark run cis_v120 --where "severity in ('critical', 'high')"
Run a benchmark, only including controls with specific tags:
powerpipe benchmark run cis_v120 --tag cis_level=1 --tag cis=true
Run a benchmark against a pipes workspace:
powerpipe benchmark run cis_v120 --workspace acme/anvils
Run a benchmark and upload a snapshot with workspace
visibility in your user workspace.
powerpipe benchmark run cis_v120 --snapshot
Run a benchmark and upload a snapshot with anyone_with_link
visibility in your user workspace.
powerpipe benchmark run cis_v120 --share
Run a benchmark and upload a snapshot with anyone_with_link
visibility to a specific workspace.
powerpipe benchmark run cis_v120 --share --snapshot-location vandelay-industries/latex
Run a benchmark, upload a snapshot with workspace
visibility in your user workspace, and tag the snapshot:
powerpipe benchmark run -cis_v120 -snapshot --snapshot-tag env=local