Skip to content

Getting Started with the IaC Provider

Prowler's Infrastructure as Code (IaC) provider enables scanning of local or remote infrastructure code for security and compliance issues using Trivy. This provider supports a wide range of IaC frameworks, allowing assessment of code before deployment.

Supported Scanners

The IaC provider leverages Trivy to support multiple scanners, including:

  • Vulnerability
  • Misconfiguration
  • Secret
  • License

How It Works

  • The IaC provider scans local directories (or specified paths) for supported IaC files, or scans remote repositories.
  • No cloud credentials or authentication are required for local scans.
  • For remote repository scans, authentication can be provided via git URL, CLI flags or environment variables.
  • Check the IaC Authentication page for more details.
  • Mutelist logic is handled by Trivy, not Prowler.
  • Results are output in the same formats as other Prowler providers (CSV, JSON, HTML, etc.).

Prowler CLI

Usage

Use the iac argument to run Prowler with the IaC provider. Specify the directory or repository to scan, frameworks to include, and paths to exclude.

Scan a Local Directory (default)

prowler iac --scan-path ./my-iac-directory

Scan a Remote GitHub Repository

prowler iac --scan-repository-url https://github.com/user/repo.git
Authentication for Remote Private Repositories

Authentication for private repositories can be provided using one of the following methods:

  • GitHub Username and Personal Access Token (PAT): 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --github-username <username> --personal-access-token <token>
  • GitHub OAuth App Token: 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --oauth-app-token <oauth_token>
  • If not provided via CLI, the following environment variables will be used (in order of precedence):
    • GITHUB_OAUTH_APP_TOKEN
    • GITHUB_USERNAME and GITHUB_PERSONAL_ACCESS_TOKEN
  • If neither CLI flags nor environment variables are set, the scan will attempt to clone without authentication or using the credentials provided in the git URL.
Mutually Exclusive Flags
  • --scan-path and --scan-repository-url are mutually exclusive. Only one can be specified at a time.

Specify Scanners

Scan only vulnerability and misconfiguration scanners:

prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig

Exclude Paths

prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples

Output

Use the standard Prowler output options, for example:

prowler iac --scan-path ./iac --output-formats csv json html