Skip to content

Miscellaneous

Prowler Version

Show Prowler version:

prowler <provider> -V/-v/--version

Verbose

Execute Prowler in verbose mode (like in Version 2):

prowler <provider> --verbose

Filter findings by status

Prowler can filter the findings by their status, so you can see only in the CLI and in the reports the findings with a specific status:

prowler <provider> --status [PASS, FAIL, MANUAL]

Disable Exit Code 3

Prowler does not trigger exit code 3 with failed checks:

prowler <provider> -z/--ignore-exit-code-3

Hide Prowler Banner

Prowler can run without showing its banner:

prowler <provider> -b/--no-banner

Disable Colors

Prowler can run without showing colors:

prowler <provider> --no-color

Checks

Prowler has checks per provider, there are options related with them:

  • List the available checks in the provider:
    prowler <provider> --list-checks
    
  • Execute specific check(s):
    prowler <provider> -c/--checks s3_bucket_public_access
    
  • Exclude specific check(s):
    prowler <provider> -e/--excluded-checks ec2 rds
    
  • Execute checks that appears in a json file:
    <checks_list>.json
    
    {
        "<provider>": [
            "<check_name_1",
            "<check_name_2",
            "<check_name_3",
            ...
        ],
        ...
    }
    
    prowler <provider> -C/--checks-file <checks_list>.json
    

Custom Checks

Prowler allows you to include your custom checks with the flag:

prowler <provider> -x/--checks-folder <custom_checks_folder>

Note

S3 URIs are also supported as folders for custom checks, e.g. s3://bucket/prefix/checks_folder/. Make sure that the used credentials have s3:GetObject permissions in the S3 path where the custom checks are located.

The custom checks folder must contain one subfolder per check, each subfolder must be named as the check and must contain:

  • An empty __init__.py: to make Python treat this check folder as a package.
  • A check_name.py containing the check's logic.
  • A check_name.metadata.json containing the check's metadata.
Note

The check name must start with the service name followed by an underscore (e.g., ec2_instance_public_ip).

To see more information about how to write checks see the Developer Guide.

Note

If you want to run ONLY your custom check(s), import it with -x (--checks-folder) and then run it with -c (--checks), e.g.:

prowler aws -x s3://bucket/prowler/providers/aws/services/s3/s3_bucket_policy/ -c s3_bucket_policy

Severities

Each of Prowler's checks has a severity, which can be: - informational - low - medium - high - critical

To execute specific severity(s):

prowler <provider> --severity critical high

Service

Prowler has services per provider, there are options related with them:

  • List the available services in the provider:
    prowler <provider> --list-services
    
  • Execute specific service(s):
    prowler <provider> -s/--services s3 iam
    
  • Exclude specific service(s):
    prowler <provider> --excluded-services ec2 rds
    

Categories

Prowler groups checks in different categories, there are options related with them:

  • List the available categories in the provider:
    prowler <provider> --list-categories
    
  • Execute specific category(s):
    prowler  <provider> --categories secrets