Miscellaneous¶
Prowler Version¶
Showing the Prowler version:¶
Prowler Execution Options¶
Prowler provides various execution settings.
Verbose Execution¶
To enable verbose mode in Prowler, similar to Version 2, use:
Filter findings by status¶
Prowler allows filtering findings based on their status, ensuring reports and CLI display only relevant findings:
Disable Exit Code 3¶
By default, Prowler triggers exit code 3 for failed checks. To disable this behavior:
Hide Prowler Banner¶
To run Prowler without displaying the banner:
Disable Colors in Output¶
To run Prowler without color formatting:
Checks in Prowler¶
Prowler provides various security checks per cloud provider. Use the following options to list, execute, or exclude specific checks:
- List Available Checks: To display all available checks for the chosen provider:
- Execute Specific Checks: Run one or more specific security checks using:
- Exclude Specific Checks: Exclude checks from execution with:
- Execute Checks from a JSON File: To run checks defined in a JSON file, structure the file as follows:
<checks_list>.json
{
"<provider>": [
"<check_name_1",
"<check_name_2",
"<check_name_3",
...
],
...
}
Custom Checks in Prowler¶
Prowler supports custom security checks, allowing users to define their own logic.
Note
S3 URIs are also supported for custom check folders (e.g., s3://bucket/prefix/checks_folder/
). Ensure the credentials used have s3:GetObject
permissions in the specified S3 path.
Folder Structure for Custom Checks
Each check must reside in a dedicated subfolder, following this structure:
__init__.py
(empty file) – Ensures Python treats the check folder as a package.check_name.py
(name file) – Defines the check’s logic for contextual information.check_name.metadata.json
(metadata file) – Defines the check’s metadata for contextual information.
Note
The check name must start with the service name followed by an underscore (e.g., ec2_instance_public_ip).
To see more information about how to write checks, refer to the Developer Guide.
Note
If you want to run ONLY your custom check(s), import it with -x (--checks-folder) and then run it with -c (--checks), e.g.: console prowler aws -x s3://bucket/prowler/providers/aws/services/s3/s3_bucket_policy/ -c s3_bucket_policy
Severities¶
Each of Prowler's checks has a severity, which can be one of the following:
- informational
- low
- medium
- high
- critical
To execute specific severity(s):
Service¶
Prowler has services per provider, there are options related with them:
- List the available services in the provider:
- Execute specific service(s):
- Exclude specific service(s):
Categories¶
Prowler groups checks in different categories. There are options related with said categories:
- List the available categories in the provider:
- Execute specific category(s):