Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.prowler.com/llms.txt

Use this file to discover all available pages before exploring further.

Prowler Studio is an AI workflow that ensures Claude Code follows Prowler’s skills, guardrails, and best practices when creating new security checks. What lands in the resulting pull request is consistent, tested, and ready for human review — not half-correct boilerplate that needs to be rewritten.
Contributor Tool: Prowler Studio is a workflow for advanced contributors adding new Prowler security checks. It is not part of Prowler Cloud, Prowler App, or Prowler CLI.
Preview Feature: Prowler Studio is under active development and breaking changes are expected. Please report issues or share feedback on GitHub or in the Slack community.

Prowler Studio Repository

Clone the source code, install Prowler Studio, and explore the agent workflow in detail.

The Problem

Adding a new check to Prowler is more than writing detection logic. A correct check has to:
  • Match Prowler’s exact service and check folder structure and naming conventions
  • Wire up metadata, severity, remediation, tests, and compliance mappings
  • Mirror the patterns used by the hundreds of existing checks in the same provider
  • Actually load when Prowler scans for available checks — silent structural mistakes are easy to make
Asking a general-purpose AI assistant to do this usually means guessing. It misses conventions, skips tests, or invents structure that looks right but does not load. The result is a half-correct PR that needs to be reviewed line by line or rewritten.

The Solution

Prowler Studio enforces the workflow end-to-end. Describe the check once — a markdown ticket, a Jira issue, or a GitHub issue — and the workflow:
  1. Loads Prowler-specific skills into every agent. Every step starts with the same context an experienced Prowler engineer would have in mind. See AI Skills System for how skills are structured.
  2. Runs specialized agents in sequence. Implementation → testing → compliance mapping → review → PR creation. Each agent has one job and a tight scope.
  3. Verifies as it goes. The check must load in Prowler. Tests must pass. If something fails, the agent fixes it and re-runs (up to a bounded number of attempts) before moving on.
  4. Produces a complete pull request. Branch, passing check, tests, compliance mappings, and a pull request waiting for human review.
The result is a consistent starting point, every time, on every supported provider.

Quick Start

Install

Prowler Studio requires uv — see the official installation guide. 
git clone https://github.com/prowler-cloud/prowler-studio
cd prowler-studio
uv sync
source .venv/bin/activate

Describe the Check

A ticket is a structured markdown description of the check to create. It is the only input the workflow needs; every agent (implementation, testing, compliance mapping, review, PR creation) uses it as the source of truth, so the more concrete it is, the closer the first PR will land to the desired outcome. The ticket can be supplied in three ways:
  • Local markdown file--ticket path/to/ticket.md
  • Jira issue--jira-url https://... (uses the issue body)
  • GitHub issue--github-url https://... (uses the issue body)
The content should follow the New Check Request template: Sections marked Optional can be skipped; everything else helps the agents make the right decisions.

Run the Workflow

From a local markdown ticket: 
prowler-studio --ticket check_ticket.md
From a Jira ticket: 
prowler-studio --jira-url https://mycompany.atlassian.net/browse/PROJ-123
From a GitHub issue: 
prowler-studio --github-url https://github.com/owner/repo/issues/123
Provide exactly one of --ticket, --jira-url, or --github-url.
Keep changes local (no push, no pull request): 
prowler-studio -b feat/my-check --ticket check_ticket.md --local

What You Get

After a successful run the working environment contains:
  • A new branch on a clean Prowler worktree containing the check, metadata, tests, and compliance mappings
  • A pull request opened against Prowler (skipped with --local)
  • A timestamped log file under logs/ capturing every step the agents took

CLI Options

OptionShortDescription
--branch-bBranch name (default: feat/<ticket>-<check_name> or feat/<check_name>)
--ticket-tPath to a markdown check ticket file
--jira-url-jJira ticket URL (e.g., https://mycompany.atlassian.net/browse/PROJ-123)
--github-url-gGitHub issue URL (e.g., https://github.com/owner/repo/issues/123)
--working-dir-wWorking directory for the Prowler clone (default: ./working)
--no-worktreeLegacy mode — work directly on the main clone instead of using worktrees
--cleanup-worktreeRemove the worktree after a successful pull request is created
--localKeep changes local — skip push and pull request creation

Configuration

Set these environment variables depending on the input source:
VariableWhen NeededPurpose
GITHUB_TOKEN--github-url (recommended)Higher GitHub API rate limits and access to private issues
JIRA_SITE_URL--jira-urlJira site, e.g. https://mycompany.atlassian.net
JIRA_EMAIL--jira-urlEmail of the Jira account used to fetch the ticket
JIRA_API_TOKEN--jira-urlAPI token for the Jira account