powerpipe control

List, view, and run Powerpipe controls.

Usage

powerpipe control list [args]
powerpipe control show control_name [args]
powerpipe control run control_name [args]

Sub-Commands

CommandDescription
listList controls from the current mod and its direct dependents.
runRun a control from the current mod or its direct dependents.
showShow details of a control from the current mod or its direct dependents.

powerpipe control list

List controls from the current mod and its direct dependents.

Examples

List controls:

powerpipe control list

List all controls in JSON format:

powerpipe control list --output json

List controls using settings from a workspace:

powerpipe control list --workspace my_workspace

powerpipe control show

Show details of a control from the current mod or its direct dependents.

Examples

Show details of a single control in the current mod:

powerpipe control show cis_v200_2_1_1
# or
powerpipe control show control.cis_v200_2_1_1

Show details of a single control in a direct dependency mod:

powerpipe control show aws_compliance.control.cis_v200_2_1_1

Show details of a control in JSON format:

powerpipe control show cis_v200_2_1_1 --output json

Show details of a control using settings from a workspace:

powerpipe control show cis_v200_2_1_1 -workspace my_workspace

powerpipe control run

Run a control from the current mod or its direct dependents.

Arguments

FlagDescription
--argSpecify the value of a control argument. Multiple --arg arguments may be passed.
--databaseDEPRECATED - See Setting the Database for the new syntax. Sets the database that Powerpipe will connect to. This defaults to the local Steampipe database, but can be any PostgreSQL, MySQL, DuckDB, or SQLite database.
--export stringExport control output to a file. You may export multiple output formats for a single control run by entering multiple --export arguments. If a file path is specified as an argument, its type will be inferred by the suffix. Supported export formats are asff, csv, html, json, md,nunit3, pps (snapshot)
--header stringSpecify whether to include column headers in csv output/export (default true).
--inputEnable/Disable interactive prompts for missing variables. To disable prompts and fail on missing variables, use --input=false. This is useful when running from scripts. (default true)
--mod-installSpecify whether to install mod dependencies before running the control (default true)
--output stringSelect the console output format. Defaults to text. Possible values are brief, csv, html, json, md, pps (snapshot), pretty, plain, none
--pipes-hostSets the Turbot Pipes host used when connecting to Turbot Pipes workspaces. See PIPES_HOST for details.
--pipes-tokenSets the Turbot Pipes authentication token used when connecting to Turbot Pipes workspaces. See PIPES_TOKEN for details.
--progressEnable or disable progress information. By default, progress information is shown - set --progress=false to hide the progress bar.
--query-timeout intThe query timeout, in seconds. The default is 300.
--search-path stringsSet a comma-separated list of connections to use as a custom search path for the control run.
--search-path-prefix stringsSet a comma-separated list of connections to use as a prefix to the current search path for the control run.
--separator stringA single character to use as a separator string for csv output (defaults to ,)
--shareCreate snapshot in Turbot Pipes with anyone_with_link visibility.
--snapshotCreate snapshot in Turbot Pipes with the default (workspace) visibility.
--snapshot-location stringThe location to write snapshots - either a local file path or a Turbot Pipes workspace
--snapshot-tag string=stringSpecify tags to set on the snapshot. Multiple --snapshot-tag arguments may be passed.
--snapshot-title string=stringThe title to give a snapshot when uploading to Turbot Pipes.
--tag string=stringFilter the list of controls to run by one or more tag values. Multiple --tag arguments may be passed. Discrete keys are and'ed and duplicate keys are or'ed. For example, steampipe check all --tag pci=true --tag service=ec2 --tag service=iam will run only controls with a service tag equal to either ec2 or iam that also are tagged with pci=true.
--timingTurn on the query timer.
--var string=stringSpecify the value of a variable. Multiple --var arguments may be passed.
--var-file stringsSpecify a .ppvar file containing variable values.

Output Formats

powerpipe control run supports all of the benchmark output formats.

Examples

Run a control

powerpipe control run cis_v200_2_1_1

Run a control against a Turbot Pipes workspace:

powerpipe control run cis_v200_2_1_1 --workspace acme/anvils

Run a control and upload a snapshot with workspace visibility in your user workspace.

powerpipe control run cis_v200_2_1_1 --snapshot

Run a control and upload a snapshot with anyone_with_link visibility in your user workspace.

powerpipe control run cis_v200_2_1_1 --share

Run a control and upload a snapshot with anyone_with_link visibility to a specific workspace.

powerpipe control run cis_v200_2_1_1 --share --snapshot-location vandelay-industries/latex

Run a control, upload a snapshot with workspace visibility in your user workspace, and tag the snapshot:

powerpipe control run cis_v200_2_1_1 --snapshot --snapshot-tag env=local

Run a control by specifying the value of a control argument:

powerpipe control run my_vpc_control --arg vpc_id=vpc-9d7ae1e7

Run a control by passing multiple control arguments:

powerpipe control run check_compliant --arg vpc_ids='["vpc-12345678","vpc-22222222"]' --arg account_id='012345678901'