powerpipe control
List, view, and run Powerpipe controls.
Usage
powerpipe control list [args]powerpipe control show control_name [args]powerpipe control run control_name [args]Sub-Commands
| Command | Description |
|---|---|
| list | List controls from the current mod and its direct dependents. |
| run | Run a control from the current mod or its direct dependents. |
| show | Show details of a control from the current mod or its direct dependents. |
powerpipe control list
List controls from the current mod and its direct dependents.
Examples
List controls:
powerpipe control listList all controls in JSON format:
powerpipe control list --output jsonList controls using settings from a workspace:
powerpipe control list --workspace my_workspacepowerpipe control show
Show details of a control from the current mod or its direct dependents.
Examples
Show details of a single control in the current mod:
powerpipe control show cis_v200_2_1_1# orpowerpipe control show control.cis_v200_2_1_1Show details of a single control in a direct dependency mod:
powerpipe control show aws_compliance.control.cis_v200_2_1_1Show details of a control in JSON format:
powerpipe control show cis_v200_2_1_1 --output jsonShow details of a control using settings from a workspace:
powerpipe control show cis_v200_2_1_1 -workspace my_workspacepowerpipe control run
Run a control from the current mod or its direct dependents.
Arguments
| Flag | Description |
|---|---|
--arg | Specify the value of a control argument. Multiple --arg arguments may be passed. |
--database | DEPRECATED - See Setting the Database for the new syntax. Sets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database. |
--export string | Export control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,nunit3, pps (snapshot) |
--header string | Specify whether to include column headers in csv output/export (default true). |
--input | Enable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false. This is useful when running from scripts. (default true) |
--mod-install | Specify whether to install mod dependencies before running the control (default true) |
--output string | Select the console output format. Defaults to text. Possible values are brief, csv, html, json, md, pps (snapshot), pretty, plain, none |
--pipes-host | Sets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details. |
--pipes-token | Sets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details. |
--progress | Enable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar. |
--query-timeout int | The query timeout, in seconds. The default is 300. |
--search-path strings | Set a comma-separated list of connections to use as a custom search path for the control run. |
--search-path-prefix strings | Set a comma-separated list of connections to use as a prefix to the current search path for the control run. |
--separator string | A single character to use as a separator string for csv output (defaults to ,) |
--share | Create snapshot in Turbot Pipes with anyone_with_link visibility. |
--snapshot | Create snapshot in Turbot Pipes with the default (workspace) visibility. |
--snapshot-location string | The location to write snapshots - either a local file path or a Turbot Pipes workspace |
--snapshot-tag string=string | Specify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed. |
--snapshot-title string=string | The title to give a snapshot when uploading to Turbot Pipes. |
--tag string=string | Filter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true. |
--timing | Turn on the query timer. |
--var string=string | Specify the value of a variable. Multiple --var arguments may be passed. |
--var-file strings | Specify a .ppvar file containing variable values. |
Output Formats
powerpipe control run supports all of the benchmark output formats.
Examples
Run a control
powerpipe control run cis_v200_2_1_1Run a control against a Turbot Pipes workspace:
powerpipe control run cis_v200_2_1_1 --workspace acme/anvilsRun a control and upload a snapshot with workspace visibility in your user workspace.
powerpipe control run cis_v200_2_1_1 --snapshotRun a control and upload a snapshot with anyone_with_link visibility in your user workspace.
powerpipe control run cis_v200_2_1_1 --shareRun a control and upload a snapshot with anyone_with_link visibility to a specific workspace.
powerpipe control run cis_v200_2_1_1 --share --snapshot-location vandelay-industries/latexRun a control, upload a snapshot with workspace visibility in your user workspace, and tag the snapshot:
powerpipe control run cis_v200_2_1_1 --snapshot --snapshot-tag env=localRun a control by specifying the value of a control argument:
powerpipe control run my_vpc_control --arg vpc_id=vpc-9d7ae1e7Run a control by passing multiple control arguments:
powerpipe control run check_compliant --arg vpc_ids='["vpc-12345678","vpc-22222222"]' --arg account_id='012345678901'