> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.prowler.com/feedback

```json
{
  "path": "/getting-started/basic-usage/prowler-cli",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Basic Usage

## Running Prowler

Running Prowler requires specifying the provider (e.g `aws`, `gcp`, `azure`, `kubernetes`, `m365`, `github`, `iac` or `mongodbatlas`):

<Note>
  If no provider is specified, AWS is used by default for backward compatibility with Prowler v2.
</Note>

```console theme={null}
prowler <provider>
```

<img src="https://mintcdn.com/prowler/9AoCN7Q_gXN7wF7l/images/short-display.png?fit=max&auto=format&n=9AoCN7Q_gXN7wF7l&q=85&s=ad991dd5d9346068631cd7b328b04408" alt="Prowler Execution" width="1865" height="1191" data-path="images/short-display.png" />

<Note>
  Running the `prowler` command without options will uses environment variable credentials. Refer to the Authentication section of each provider for credential configuration details.
</Note>

## Verbose Output

If you prefer the former verbose output, use: `--verbose`. This allows seeing more info while Prowler is running, minimal output is displayed unless verbosity is enabled.

## Report Generation

By default, Prowler generates CSV, JSON-OCSF, and HTML reports. Additional provider-specific formats are available:

* **JSON-ASFF** (AWS only): Used by AWS Security Hub
* **SARIF** (IaC only): Used by GitHub Code Scanning

To specify output formats, use the `-M` or `--output-modes` flag:

```console theme={null}
prowler <provider> -M csv json-asff json-ocsf html
```

The HTML report is saved in the output directory, alongside other reports. It will look like this:

<img src="https://mintcdn.com/prowler/LI3palQgXkn4dRXg/images/html-output.png?fit=max&auto=format&n=LI3palQgXkn4dRXg&q=85&s=ebf722f4914fcc25d4cad314a75dcc82" alt="Prowler Execution" width="1908" height="925" data-path="images/html-output.png" />

## Listing Available Checks and Services

List all available checks or services within a provider using `-l`/`--list-checks` or `--list-services`.

```console theme={null}
prowler <provider> --list-checks
prowler <provider> --list-services
```

## Running Specific Checks or Services

Execute specific checks or services using `-c`/`checks` or `-s`/`services`:

```console theme={null}
prowler azure --checks storage_blob_public_access_level_is_disabled
prowler aws --services s3 ec2
prowler gcp --services iam compute
prowler kubernetes --services etcd apiserver
```

## Excluding Checks and Services

Checks and services can be excluded with `-e`/`--excluded-checks` or `--excluded-services`:

```console theme={null}
prowler aws --excluded-checks s3_bucket_public_access
prowler azure --excluded-services defender iam
prowler gcp --excluded-services kms
prowler kubernetes --excluded-services controllermanager
```

## Additional Options

Explore more advanced time-saving execution methods in the [Miscellaneous](/user-guide/cli/tutorials/misc) section.

Access the help menu and view all available options with `-h`/`--help`:

```console theme={null}
prowler --help
```

## AWS

Use a custom AWS profile with `-p`/`--profile` and/or specific AWS regions with `-f`/`--filter-region`:

```console theme={null}
prowler aws --profile custom-profile -f us-east-1 eu-south-2
```

<Note>
  By default, `prowler` will scan all AWS regions.
</Note>

See more details about AWS Authentication in the [Authentication Section](/user-guide/providers/aws/authentication) section.

## Azure

Azure requires specifying the auth method:

```console theme={null}
# To use service principal authentication
prowler azure --sp-env-auth

# To use az cli authentication
prowler azure --az-cli-auth

# To use browser authentication
prowler azure --browser-auth --tenant-id "XXXXXXXX"

# To use managed identity auth
prowler azure --managed-identity-auth
```

See more details about Azure Authentication in the [Authentication Section](/user-guide/providers/azure/authentication)

By default, Prowler scans all accessible subscriptions. Scan specific subscriptions using the following flag (using az cli auth as example):

```console theme={null}
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
```

## Google Cloud

* **User Account Credentials**

  By default, Prowler uses **User Account credentials**. Configure accounts using:

  * `gcloud init` – Set up a new account.
  * `gcloud config set account <account>` – Switch to an existing account.

  Once configured, obtain access credentials using: `gcloud auth application-default login`.

* **Service Account Authentication**

  Alternatively, you can use Service Account credentials:

  Generate and download Service Account keys in JSON format. Refer to [Google IAM documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for details.

  Provide the key file location using this argument:

  ```console theme={null}
  prowler gcp --credentials-file path
  ```

* **Scanning Specific GCP Projects**

  By default, Prowler scans all accessible GCP projects. Scan specific projects with the `--project-ids` flag:

  ```console theme={null}
  prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
  ```

* **GCP Retry Configuration**

  Configure the maximum number of retry attempts for Google Cloud SDK API calls with the `--gcp-retries-max-attempts` flag:

  ```console theme={null}
  prowler gcp --gcp-retries-max-attempts 5
  ```

  This is useful when experiencing quota exceeded errors (HTTP 429) to increase the number of automatic retry attempts.

## Kubernetes

Prowler enables security scanning of Kubernetes clusters, supporting both **in-cluster** and **external** execution.

* **Non In-Cluster Execution**

  ```console theme={null}
  prowler kubernetes --kubeconfig-file path
  ```

  <Note>
    If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
  </Note>
* **In-Cluster Execution**

  To run Prowler inside the cluster, apply the provided YAML configuration to deploy a job in a new namespace:

  ```console theme={null}
  kubectl apply -f kubernetes/prowler-sa.yaml
  kubectl apply -f kubernetes/job.yaml
  kubectl apply -f kubernetes/prowler-role.yaml
  kubectl apply -f kubernetes/prowler-rolebinding.yaml
  kubectl get pods --namespace prowler-ns --> prowler-XXXXX
  kubectl logs prowler-XXXXX --namespace prowler-ns
  ```

  <Note>
    By default, Prowler scans all namespaces in the active Kubernetes context. Use the `--context`flag to specify the context to be scanned and `--namespaces` to restrict scanning to specific namespaces.
  </Note>

## Microsoft 365

Microsoft 365 requires specifying the auth method:

```console theme={null}

# To use service principal authentication for MSGraph and PowerShell modules
prowler m365 --sp-env-auth

# To use az cli authentication
prowler m365 --az-cli-auth

# To use browser authentication
prowler m365 --browser-auth --tenant-id "XXXXXXXX"

```

See more details about M365 Authentication in the [Authentication Section](/user-guide/providers/microsoft365/authentication) section.

## GitHub

Prowler enables security scanning of your **GitHub account**, including **Repositories**, **Organizations** and **Applications**.

* **Supported Authentication Methods**

  Authenticate using one of the following methods:

  ```console theme={null}
  # Personal Access Token (PAT):
  prowler github --personal-access-token pat

  # OAuth App Token:
  prowler github --oauth-app-token oauth_token

  # GitHub App Credentials:
  prowler github --github-app-id app_id --github-app-key app_key
  ```

  <Note>
    If no login method is explicitly provided, Prowler will automatically attempt to authenticate using environment variables in the following order of precedence:

    1. `GITHUB_PERSONAL_ACCESS_TOKEN`
    2. `OAUTH_APP_TOKEN`
    3. `GITHUB_APP_ID` and `GITHUB_APP_KEY`
  </Note>

## Infrastructure as Code (IaC)

Prowler's Infrastructure as Code (IaC) provider enables you to scan local or remote infrastructure code for security and compliance issues using [Trivy](https://trivy.dev/). This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment.

```console theme={null}
# Scan a directory for IaC files
prowler iac --scan-path ./my-iac-directory

# Scan a remote GitHub repository (public or private)
prowler iac --scan-repository-url https://github.com/user/repo.git

# Authenticate to a private repo with GitHub username and PAT
prowler iac --scan-repository-url https://github.com/user/repo.git \
  --github-username <username> --personal-access-token <token>

# Authenticate to a private repo with OAuth App Token
prowler iac --scan-repository-url https://github.com/user/repo.git \
  --oauth-app-token <oauth_token>

# Specify frameworks to scan (default: all)
prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes

# Exclude specific paths
prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
```

<Note>
  * `--scan-path` and `--scan-repository-url` are mutually exclusive; only one can be specified at a time.
  * For remote repository scans, authentication can be provided via CLI flags or environment variables (`GITHUB_OAUTH_APP_TOKEN`, `GITHUB_USERNAME`, `GITHUB_PERSONAL_ACCESS_TOKEN`). CLI flags take precedence.
  * The IaC provider does not require cloud authentication for local scans.
  * It is ideal for CI/CD pipelines and local development environments.
  * For more details on supported scanners, see the [Trivy documentation](https://trivy.dev/latest/docs/scanner/vulnerability/)
</Note>

See more details about IaC scanning in the [IaC Tutorial](/user-guide/providers/iac/getting-started-iac) section.

## MongoDB Atlas

Prowler allows you to scan your MongoDB Atlas cloud database deployments for security and compliance issues.

Authentication is done using MongoDB Atlas API key pairs:

```console theme={null}
# Using command-line arguments
prowler mongodbatlas --atlas-public-key <public_key> --atlas-private-key <private_key>

# Using environment variables
export ATLAS_PUBLIC_KEY=<public_key>
export ATLAS_PRIVATE_KEY=<private_key>
prowler mongodbatlas
```

You can filter scans to specific organizations or projects:

```console theme={null}
# Scan specific project
prowler mongodbatlas --atlas-project-id <project_id>
```

See more details about MongoDB Atlas Authentication in [MongoDB Atlas Authentication](/user-guide/providers/mongodbatlas/authentication)

## Oracle Cloud

Prowler allows you to scan your Oracle Cloud deployments for security and compliance issues.

You have two options to authenticate:

1. OCI Config File Authentication: this config file can be generated using the OCI CLI with the `oci session authenticate` command or created manually using the OCI Console. For more details, see the [OCI Authentication Guide](/user-guide/providers/oci/authentication#oci-session-authentication).

   ```console theme={null}
   prowler oci
   ```

   You can add different profiles to the config file to scan different tenancies or regions. In order to scan a specific profile, use the `--profile` flag:

   ```console theme={null}
   prowler oci --profile <profile_name>
   ```

2. Instance Principal Authentication: when running Prowler on an OCI Compute instance, you can use Instance Principal authentication. For more details, see the [OCI Authentication Guide](/user-guide/providers/oci/authentication#instance-principal-authentication).

   ```console theme={null}
   prowler oci --use-instance-principal
   ```

See more details about Oracle Cloud Authentication in [Oracle Cloud Authentication](/user-guide/providers/oci/authentication)