Skip to main content
Prowler’s Infrastructure as Code (IaC) provider enables scanning of local or remote infrastructure code for security and compliance issues using Trivy. This provider supports a wide range of IaC frameworks, allowing assessment of code before deployment.

Supported Scanners

The IaC provider leverages Trivy to support multiple scanners, including:
  • Vulnerability
  • Misconfiguration
  • Secret
  • License

How It Works

  • The IaC provider scans local directories (or specified paths) for supported IaC files, or scans remote repositories.
  • No cloud credentials or authentication are required for local scans.
  • For remote repository scans, authentication can be provided via git URL, CLI flags or environment variables.
  • Mutelist logic (filtering) is handled by Trivy, not Prowler.
  • Results are output in the same formats as other Prowler providers (CSV, JSON, HTML, etc.).

Prowler App

Added in: 5.14.0

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Infrastructure as Code” Select Infrastructure as Code
  5. Add the Repository URL and an optional alias, then click “Next” Add IaC Repository URL

Step 2: Enter Authentication Details

  1. Optionally provide the authentication details for private repositories, then click “Next” IaC Authentication

Step 3: Verify Connection & Start Scan

  1. Review the provider configuration and click “Launch scan” to initiate the scan Verify Connection & Start Scan

Prowler CLI

Added in: 5.8.0

Usage

Use the iac argument to run Prowler with the IaC provider. Specify the directory or repository to scan, frameworks to include, and paths to exclude.

Scan a Local Directory (default)

prowler iac --scan-path ./my-iac-directory

Scan a Remote GitHub Repository

prowler iac --scan-repository-url https://github.com/user/repo.git
Authentication for Remote Private Repositories
Authentication for private repositories can be provided using one of the following methods:
  • GitHub Username and Personal Access Token (PAT): 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --github-username <username> --personal-access-token <token>
  • GitHub OAuth App Token: 
    prowler iac --scan-repository-url https://github.com/user/repo.git \
  --oauth-app-token <oauth_token>
  • If not provided via CLI, the following environment variables will be used (in order of precedence):
    • GITHUB_OAUTH_APP_TOKEN
    • GITHUB_USERNAME and GITHUB_PERSONAL_ACCESS_TOKEN
  • If neither CLI flags nor environment variables are set, the scan will attempt to clone without authentication or using the credentials provided in the git URL.
Mutually Exclusive Flags
  • --scan-path and --scan-repository-url are mutually exclusive. Only one can be specified at a time.

Specify Scanners

Scan only vulnerability and misconfiguration scanners: 
prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig

Exclude Paths

prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples

Output

Use the standard Prowler output options, for example: 
prowler iac --scan-path ./iac --output-formats csv json html