powerpipe control

List, view, and run Powerpipe controls.

Usage

powerpipe control list [args]
powerpipe control show control_name [args]
powerpipe control run control_name [args]

Sub-Commands

CommandDescription
listList controls from the current mod and its direct dependents.
runRun a control from the current mod or its direct dependents.
showShow details of a control from the current mod or its direct dependents.

powerpipe control list

List controls from the current mod and its direct dependents.

Examples

List controls:

powerpipe control list

List all controls in JSON format:

powerpipe control list --output json

List controls using settings from a workspace:

powerpipe control list --workspace my_workspace

powerpipe control show

Show details of a control from the current mod or its direct dependents.

Examples

Show details of a single control in the current mod:

powerpipe control show cis_v200_2_1_1
# or
powerpipe control show control.cis_v200_2_1_1

Show details of a single control in a direct dependency mod:

powerpipe control show aws_compliance.control.cis_v200_2_1_1

Show details of a control in JSON format:

powerpipe control show cis_v200_2_1_1 --output json

Show details of a control using settings from a workspace:

powerpipe control show cis_v200_2_1_1 -workspace my_workspace

powerpipe control run

Run a control from the current mod or its direct dependents.

Arguments

FlagDescription
--argSpecify the value of a control argument. Multiple --arg arguments may be passed.
--databaseSets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. See POWERPIPE_DATABASE for details.
--export stringExport control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,nunit3, pps (snapshot)
--header stringSpecify whether to include column headers in csv output/export (default true).
--inputEnable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false. This is useful when running from scripts. (default true)
--mod-installSpecify whether to install mod dependencies before running the control (default true)
--output stringSelect the console output format. Defaults to text. Possible values are brief, csv, html, json, md, pps (snapshot), pretty, plain, none
--pipes-hostSets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details.
--pipes-tokenSets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details.
--progressEnable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar.
--query-timeout intThe query timeout, in seconds. The default is 300.
--search-path stringsSet a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix stringsSet a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator stringA single character to use as a separator string for csv output (defaults to ,)
--shareCreate snapshot in Turbot Pipes with anyone_with_link visibility.
--snapshotCreate snapshot in Turbot Pipes with the default (workspace) visibility.
--snapshot-location stringThe location to write snapshots - either a local file path or a Turbot Pipes workspace
--snapshot-tag string=stringSpecify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed.
--snapshot-title string=stringThe title to give a snapshot when uploading to Turbot Pipes.
--tag string=stringFilter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--timingTurn on the query timer.
--var string=stringSpecify the value of a variable. Multiple --var arguments may be passed.
--var-file stringsSpecify a .ppvar file containing variable values.

Output Formats

powerpipe control run supports all of the benchmark output formats.

Examples

Run a control

powerpipe control run cis_v200_2_1_1

Run a control against a Turbot Pipes workspace:

powerpipe control run cis_v200_2_1_1 --workspace acme/anvils

Run a control against a specific database:

powerpipe control run cis_v200_2_1_1 --database postgres://myusername:passworrd@mydbserver.mydomain.com:9193/steampipe

Run a control and upload a snapshot with workspace visibility in your user workspace.

powerpipe control run cis_v200_2_1_1 --snapshot

Run a control and upload a snapshot with anyone_with_link visibility in your user workspace.

powerpipe control run cis_v200_2_1_1 --share

Run a control and upload a snapshot with anyone_with_link visibility to a specific workspace.

powerpipe control run cis_v200_2_1_1 --share --snapshot-location vandelay-industries/latex

Run a control, upload a snapshot with workspace visibility in your user workspace, and tag the snapshot:

powerpipe control run cis_v200_2_1_1 --snapshot --snapshot-tag env=local

Run a control by specifying the value of a control argument:

powerpipe control run my_vpc_control --arg vpc_id=vpc-9d7ae1e7

Run a control by passing multiple control arguments:

powerpipe control run check_compliant --arg vpc_ids='["vpc-12345678","vpc-22222222"]' --arg account_id='012345678901'