Skip to main content
Prowler’s Infrastructure as Code (IaC) provider enables scanning of local or remote infrastructure code for security and compliance issues using Trivy. This provider supports a wide range of IaC frameworks, allowing assessment of code before deployment.

Supported IaC Formats

Prowler IaC provider scans the following Infrastructure as Code configurations for misconfigurations and secrets:
Configuration TypeFile Patterns
Kubernetes*.yml, *.yaml, *.json
DockerDockerfile, Containerfile
Terraform*.tf, *.tf.json, *.tfvars
Terraform Plantfplan, *.tfplan, *.json
CloudFormation*.yml, *.yaml, *.json
Azure ARM Template*.json
Helm*.yml, *.yaml, *.tpl, *.tar.gz, etc.
YAML*.yaml, *.yml
JSON*.json
Ansible*.yml, *.yaml, *.json, *.ini, without extension

How It Works

  • Prowler App leverages Trivy to scan local directories (or specified paths) for supported IaC files, or scans remote repositories.
  • No cloud credentials or authentication are required for local scans.
  • For remote repository scans, authentication can be provided via git URL, CLI flags or environment variables.
  • Mutelist logic (filtering) is handled by Trivy, not Prowler.
  • Results are output in the same formats as other Prowler providers (CSV, JSON, HTML, etc.).

Prowler App

Added in: 5.14.0

Supported Scanners

Scanner selection is not configurable in Prowler App. Default scanners, misconfig and secret, run automatically during each scan.

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Infrastructure as Code” Select Infrastructure as Code
  5. Add the Repository URL and an optional alias, then click “Next” Add IaC Repository URL

Step 2: Enter Authentication Details

  1. Optionally provide the authentication details for private repositories, then click “Next” IaC Authentication

Step 3: Verify Connection & Start Scan

  1. Review the provider configuration and click “Launch scan” to initiate the scan Verify Connection & Start Scan

Prowler CLI

Added in: 5.8.0

Supported Scanners

Prowler CLI supports the following scanners: By default, only misconfiguration and secret scanners run during a scan. To specify which scanners to use, refer to the Specify Scanners section below.

Usage

Use the iac argument to run Prowler with the IaC provider. Specify the directory or repository to scan, frameworks to include, and paths to exclude.

Scan a Local Directory (default)

prowler iac --scan-path ./my-iac-directory

Scan a Remote GitHub Repository

prowler iac --scan-repository-url https://github.com/user/repo.git
Authentication for Remote Private Repositories
Authentication for private repositories can be provided using one of the following methods:
  • GitHub Username and Personal Access Token (PAT): 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --github-username <username> --personal-access-token <token>
  • GitHub OAuth App Token: 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --oauth-app-token <oauth_token>
  • If not provided via CLI, the following environment variables will be used (in order of precedence):
    • GITHUB_OAUTH_APP_TOKEN
    • GITHUB_USERNAME and GITHUB_PERSONAL_ACCESS_TOKEN
  • If neither CLI flags nor environment variables are set, the scan will attempt to clone without authentication or using the credentials provided in the git URL.
Mutually Exclusive Flags
  • --scan-path and --scan-repository-url are mutually exclusive. Only one can be specified at a time.

Specify Scanners

To run only specific scanners, use the --scanners flag. For example, to scan only for vulnerabilities and misconfigurations: 
prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig

Exclude Paths

prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples

Output

Use the standard Prowler output options, for example: 
prowler iac --scan-path ./iac --output-formats csv json html