Skip to main content

Running Prowler

Running Prowler requires specifying the provider (e.g aws, gcp, azure, kubernetes, m365, github, iac or mongodbatlas):
If no provider is specified, AWS is used by default for backward compatibility with Prowler v2.
prowler <provider>
Prowler Execution
Running the prowler command without options will uses environment variable credentials. Refer to the Authentication section of each provider for credential configuration details.

Verbose Output

If you prefer the former verbose output, use: --verbose. This allows seeing more info while Prowler is running, minimal output is displayed unless verbosity is enabled.

Report Generation

By default, Prowler generates CSV, JSON-OCSF, and HTML reports. To generate a JSON-ASFF report (used by AWS Security Hub), specify -M or --output-modes: 
prowler <provider> -M csv json-asff json-ocsf html
The HTML report is saved in the output directory, alongside other reports. It will look like this: Prowler Execution

Listing Available Checks and Services

List all available checks or services within a provider using -l/--list-checks or --list-services. 
prowler <provider> --list-checks
prowler <provider> --list-services

Running Specific Checks or Services

Execute specific checks or services using -c/checks or -s/services: 
prowler azure --checks storage_blob_public_access_level_is_disabled
prowler aws --services s3 ec2
prowler gcp --services iam compute
prowler kubernetes --services etcd apiserver

Excluding Checks and Services

Checks and services can be excluded with -e/--excluded-checks or --excluded-services: 
prowler aws --excluded-checks s3_bucket_public_access
prowler azure --excluded-services defender iam
prowler gcp --excluded-services kms
prowler kubernetes --excluded-services controllermanager

Additional Options

Explore more advanced time-saving execution methods in the Miscellaneous section. Access the help menu and view all available options with -h/--help: 
prowler --help

AWS

Use a custom AWS profile with -p/--profile and/or specific AWS regions with -f/--filter-region: 
prowler aws --profile custom-profile -f us-east-1 eu-south-2
By default, prowler will scan all AWS regions.
See more details about AWS Authentication in the Authentication Section section.

Azure

Azure requires specifying the auth method: 
# To use service principal authentication
prowler azure --sp-env-auth

# To use az cli authentication
prowler azure --az-cli-auth

# To use browser authentication
prowler azure --browser-auth --tenant-id "XXXXXXXX"

# To use managed identity auth
prowler azure --managed-identity-auth
See more details about Azure Authentication in the Authentication Section By default, Prowler scans all accessible subscriptions. Scan specific subscriptions using the following flag (using az cli auth as example): 
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>

Google Cloud

  • User Account Credentials By default, Prowler uses User Account credentials. Configure accounts using:
    • gcloud init – Set up a new account.
    • gcloud config set account <account> – Switch to an existing account.
    Once configured, obtain access credentials using: gcloud auth application-default login.
  • Service Account Authentication Alternatively, you can use Service Account credentials: Generate and download Service Account keys in JSON format. Refer to Google IAM documentation for details. Provide the key file location using this argument: 
    prowler gcp --credentials-file path
  • Scanning Specific GCP Projects By default, Prowler scans all accessible GCP projects. Scan specific projects with the --project-ids flag: 
    prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
  • GCP Retry Configuration Configure the maximum number of retry attempts for Google Cloud SDK API calls with the --gcp-retries-max-attempts flag: 
    prowler gcp --gcp-retries-max-attempts 5
    This is useful when experiencing quota exceeded errors (HTTP 429) to increase the number of automatic retry attempts.

Kubernetes

Prowler enables security scanning of Kubernetes clusters, supporting both in-cluster and external execution.
  • Non In-Cluster Execution 
    prowler kubernetes --kubeconfig-file path
    If no --kubeconfig-file is provided, Prowler will use the default KubeConfig file location (~/.kube/config).
  • In-Cluster Execution To run Prowler inside the cluster, apply the provided YAML configuration to deploy a job in a new namespace: 
    kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
    By default, Prowler scans all namespaces in the active Kubernetes context. Use the --contextflag to specify the context to be scanned and --namespaces to restrict scanning to specific namespaces.

Microsoft 365

Microsoft 365 requires specifying the auth method: 

# To use service principal authentication for MSGraph and PowerShell modules
prowler m365 --sp-env-auth

# To use az cli authentication
prowler m365 --az-cli-auth

# To use browser authentication
prowler m365 --browser-auth --tenant-id "XXXXXXXX"
See more details about M365 Authentication in the Authentication Section section.

GitHub

Prowler enables security scanning of your GitHub account, including Repositories, Organizations and Applications.
  • Supported Authentication Methods Authenticate using one of the following methods: 
    # Personal Access Token (PAT):
prowler github --personal-access-token pat

# OAuth App Token:
prowler github --oauth-app-token oauth_token

# GitHub App Credentials:
prowler github --github-app-id app_id --github-app-key app_key
    If no login method is explicitly provided, Prowler will automatically attempt to authenticate using environment variables in the following order of precedence:
    1. GITHUB_PERSONAL_ACCESS_TOKEN
    2. OAUTH_APP_TOKEN
    3. GITHUB_APP_ID and GITHUB_APP_KEY

Infrastructure as Code (IaC)

Prowler’s Infrastructure as Code (IaC) provider enables you to scan local or remote infrastructure code for security and compliance issues using Trivy. This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment. 
# Scan a directory for IaC files
prowler iac --scan-path ./my-iac-directory

# Scan a remote GitHub repository (public or private)
prowler iac --scan-repository-url https://github.com/user/repo.git

# Authenticate to a private repo with GitHub username and PAT
prowler iac --scan-repository-url https://github.com/user/repo.git \
  --github-username <username> --personal-access-token <token>

# Authenticate to a private repo with OAuth App Token
prowler iac --scan-repository-url https://github.com/user/repo.git \
  --oauth-app-token <oauth_token>

# Specify frameworks to scan (default: all)
prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes

# Exclude specific paths
prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
  • --scan-path and --scan-repository-url are mutually exclusive; only one can be specified at a time.
  • For remote repository scans, authentication can be provided via CLI flags or environment variables (GITHUB_OAUTH_APP_TOKEN, GITHUB_USERNAME, GITHUB_PERSONAL_ACCESS_TOKEN). CLI flags take precedence.
  • The IaC provider does not require cloud authentication for local scans.
  • It is ideal for CI/CD pipelines and local development environments.
  • For more details on supported scanners, see the Trivy documentation
See more details about IaC scanning in the IaC Tutorial section.

MongoDB Atlas

Prowler allows you to scan your MongoDB Atlas cloud database deployments for security and compliance issues. Authentication is done using MongoDB Atlas API key pairs: 
# Using command-line arguments
prowler mongodbatlas --atlas-public-key <public_key> --atlas-private-key <private_key>

# Using environment variables
export ATLAS_PUBLIC_KEY=<public_key>
export ATLAS_PRIVATE_KEY=<private_key>
prowler mongodbatlas
You can filter scans to specific organizations or projects: 
# Scan specific project
prowler mongodbatlas --atlas-project-id <project_id>
See more details about MongoDB Atlas Authentication in MongoDB Atlas Authentication

Oracle Cloud

Prowler allows you to scan your Oracle Cloud deployments for security and compliance issues. You have two options to authenticate:
  1. OCI Config File Authentication: this config file can be generated using the OCI CLI with the oci session authenticate command or created manually using the OCI Console. For more details, see the OCI Authentication Guide. 
    prowler oci
    You can add different profiles to the config file to scan different tenancies or regions. In order to scan a specific profile, use the --profile flag: 
    prowler oci --profile <profile_name>
  2. Instance Principal Authentication: when running Prowler on an OCI Compute instance, you can use Instance Principal authentication. For more details, see the OCI Authentication Guide. 
    prowler oci --use-instance-principal
See more details about Oracle Cloud Authentication in Oracle Cloud Authentication
I