> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.prowler.com/feedback

```json
{
  "path": "/user-guide/cli/tutorials/pentesting",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Pentesting

Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more).

## Detect Secrets

Prowler uses `detect-secrets` library to search for any secrets that are stores in plaintext within your environment.

The actual checks that have this functionality are the following:

* autoscaling\_find\_secrets\_ec2\_launch\_configuration
* awslambda\_function\_no\_secrets\_in\_code
* awslambda\_function\_no\_secrets\_in\_variables
* cloudformation\_stack\_outputs\_find\_secrets
* ec2\_instance\_secrets\_user\_data
* ec2\_launch\_template\_no\_secrets
* ecs\_task\_definitions\_no\_environment\_secrets
* ssm\_document\_secrets

To execute detect-secrets related checks, you can run the following command:

```console theme={null}
prowler <provider> --categories secrets
```

## Internet Exposed Resources

Several checks analyse resources that are exposed to the Internet, these are:

1. apigateway\_restapi\_public

* appstream\_fleet\_default\_internet\_access\_disabled
* awslambda\_function\_not\_publicly\_accessible
* ec2\_ami\_public
* ec2\_ebs\_public\_snapshot
* ec2\_instance\_internet\_facing\_with\_instance\_profile
* ec2\_instance\_port\_X\_exposed\_to\_internet (where X is the port number)
* ec2\_instance\_public\_ip
* ec2\_networkacl\_allow\_ingress\_any\_port
* ec2\_securitygroup\_allow\_wide\_open\_public\_ipv4
* ec2\_securitygroup\_allow\_ingress\_from\_internet\_to\_any\_port
* ecr\_repositories\_not\_publicly\_accessible
* eks\_control\_plane\_endpoint\_access\_restricted
* eks\_endpoints\_not\_publicly\_accessible
* eks\_control\_plane\_endpoint\_access\_restricted
* eks\_endpoints\_not\_publicly\_accessible
* elbv2\_internet\_facing
* kms\_key\_not\_publicly\_accessible
* opensearch\_service\_domains\_not\_publicly\_accessible
* rds\_instance\_no\_public\_access
* rds\_snapshots\_public\_access
* s3\_bucket\_policy\_public\_write\_access
* s3\_bucket\_public\_access
* sagemaker\_notebook\_instance\_without\_direct\_internet\_access\_configured
* sns\_topics\_not\_publicly\_accessible
* sqs\_queues\_not\_publicly\_accessible
* network\_public\_ip\_shodan

To execute Internet-exposed related checks, you can run the following command:

```console theme={null}
prowler <provider> --categories internet-exposed
```

### Shodan

Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the `-N`/`--shodan` option.

#### Using the Environment Variable (Recommended)

Set the `SHODAN_API_KEY` environment variable to avoid exposing the API key in process listings and shell history:

```console theme={null}
export SHODAN_API_KEY=<shodan_api_key>
```

Then run Prowler with the `--shodan` flag (no value needed):

```console theme={null}
prowler aws --shodan -c ec2_elastic_ip_shodan
```

```console theme={null}
prowler azure --shodan -c network_public_ip_shodan
```

```console theme={null}
prowler gcp --shodan -c compute_public_address_shodan
```

#### Using the CLI Flag

Alternatively, pass the API key directly on the command line:

```console theme={null}
prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
```

<Warning>
  Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the `SHODAN_API_KEY` environment variable instead.
</Warning>