> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.prowler.com/feedback

```json
{
  "path": "/user-guide/providers/iac/getting-started-iac",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Getting Started with the IaC Provider

export const VersionBadge = ({version}) => {
  return <a href={`https://github.com/prowler-cloud/prowler/releases/tag/${version}`} target="_blank" rel="noopener noreferrer" className="version-badge-link">
            <span className="version-badge-container">
                <span className="version-badge">
                    <span className="version-badge-label">Added in:</span> 
                    <span className="version-badge-version">{version}</span>
                </span>
            </span>
        </a>;
};

Prowler's Infrastructure as Code (IaC) provider enables scanning of local or remote infrastructure code for security and compliance issues using [Trivy](https://trivy.dev/). This provider supports a wide range of IaC frameworks, allowing assessment of code before deployment.

## Supported IaC Formats

Prowler IaC provider scans the following Infrastructure as Code configurations for misconfigurations and secrets:

| Configuration Type | File Patterns                                           |
| ------------------ | ------------------------------------------------------- |
| Kubernetes         | `*.yml`, `*.yaml`, `*.json`                             |
| Docker             | `Dockerfile`, `Containerfile`                           |
| Terraform          | `*.tf`, `*.tf.json`, `*.tfvars`                         |
| Terraform Plan     | `tfplan`, `*.tfplan`, `*.json`                          |
| CloudFormation     | `*.yml`, `*.yaml`, `*.json`                             |
| Azure ARM Template | `*.json`                                                |
| Helm               | `*.yml`, `*.yaml`, `*.tpl`, `*.tar.gz`, etc.            |
| YAML               | `*.yaml`, `*.yml`                                       |
| JSON               | `*.json`                                                |
| Ansible            | `*.yml`, `*.yaml`, `*.json`, `*.ini`, without extension |

## How It Works

* Prowler App leverages [Trivy](https://trivy.dev/docs/latest/guide/coverage/iac/#scanner) to scan local directories (or specified paths) for supported IaC files, or scans remote repositories.
* No cloud credentials or authentication are required for local scans.
* For remote repository scans, authentication can be provided via [git URL](https://git-scm.com/docs/git-clone#_git_urls), CLI flags or environment variables.
  * Check the [IaC Authentication](/user-guide/providers/iac/authentication) page for more details.
* Mutelist logic ([filtering](https://trivy.dev/latest/docs/configuration/filtering/)) is handled by Trivy, not Prowler.
* Results are output in the same formats as other Prowler providers (CSV, JSON-OCSF, HTML), plus [SARIF](/user-guide/cli/tutorials/reporting#sarif-iac-only) for GitHub Code Scanning integration.

## Prowler Cloud

<VersionBadge version="5.14.0" />

### Supported Scanners

Scanner selection is not configurable in Prowler App. Default scanners, misconfig and secret, run automatically during each scan.

### Step 1: Access Prowler Cloud/App

1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)

2. Go to "Configuration" > "Providers"

   <img src="https://mintcdn.com/prowler/zldeL4sp-3y3KD3R/images/prowler-app/cloud-providers-page.png?fit=max&auto=format&n=zldeL4sp-3y3KD3R&q=85&s=022812ec187876acb2feac32781217f3" alt="Providers Page" width="300" height="448" data-path="images/prowler-app/cloud-providers-page.png" />

3. Click "Add Provider"

   <img src="https://mintcdn.com/prowler/zldeL4sp-3y3KD3R/images/prowler-app/add-cloud-provider.png?fit=max&auto=format&n=zldeL4sp-3y3KD3R&q=85&s=ba8cc5f0f469433547b724f97672bb52" alt="Add a Provider" width="601" height="125" data-path="images/prowler-app/add-cloud-provider.png" />

4. Select "Infrastructure as Code"

   <img src="https://mintcdn.com/prowler/e5zEAwQ5r3Lxqfm0/images/providers/select-iac.png?fit=max&auto=format&n=e5zEAwQ5r3Lxqfm0&q=85&s=0a39385ea94292099143f77503af8d68" alt="Select Infrastructure as Code" width="1688" height="1280" data-path="images/providers/select-iac.png" />

5. Add the Repository URL and an optional alias, then click "Next"

   <img src="https://mintcdn.com/prowler/ilBu_rt4VRwaxkxt/images/providers/add-iac-repo.png?fit=max&auto=format&n=ilBu_rt4VRwaxkxt&q=85&s=df7d34391df96d32fc7d5f1536baf4a4" alt="Add IaC Repository URL" width="1673" height="1297" data-path="images/providers/add-iac-repo.png" />

### Step 2: Enter Authentication Details

6. Optionally provide the [authentication](/user-guide/providers/iac/authentication) details for private repositories, then click "Next"

   <img src="https://mintcdn.com/prowler/iBROs6CS79qsK1fR/images/providers/iac-authentication.png?fit=max&auto=format&n=iBROs6CS79qsK1fR&q=85&s=e9dfd340ab1a00adbf399ab4377d6391" alt="IaC Authentication" width="1610" height="1249" data-path="images/providers/iac-authentication.png" />

### Step 3: Verify Connection & Start Scan

7. Review the provider configuration and click "Launch scan" to initiate the scan

   <img src="https://mintcdn.com/prowler/iBROs6CS79qsK1fR/images/providers/iac-verify-connection.png?fit=max&auto=format&n=iBROs6CS79qsK1fR&q=85&s=73db3bd37a1f46b012b4750f313586a3" alt="Verify Connection & Start Scan" width="2618" height="1984" data-path="images/providers/iac-verify-connection.png" />

## Prowler CLI

<VersionBadge version="5.8.0" />

### Supported Scanners

Prowler CLI supports the following scanners:

* [Vulnerability](https://trivy.dev/docs/latest/guide/scanner/vulnerability/)
* [Misconfiguration](https://trivy.dev/docs/latest/guide/scanner/misconfiguration/)
* [Secret](https://trivy.dev/docs/latest/guide/scanner/secret/)
* [License](https://trivy.dev/docs/latest/guide/scanner/license/)

By default, only misconfiguration and secret scanners run during a scan. To specify which scanners to use, refer to the [Specify Scanners](#specify-scanners) section below.

### Usage

Use the `iac` argument to run Prowler with the IaC provider. Specify the directory or repository to scan, frameworks to include, and paths to exclude.

#### Scan a Local Directory (default)

```sh theme={null}
prowler iac --scan-path ./my-iac-directory
```

#### Scan a Remote GitHub Repository

```sh theme={null}
prowler iac --scan-repository-url https://github.com/user/repo.git
```

##### Authentication for Remote Private Repositories

Authentication for private repositories can be provided using one of the following methods:

* **GitHub Username and Personal Access Token (PAT):**
  ```sh theme={null}
  prowler iac --scan-repository-url https://github.com/user/repo.git \
    --github-username <username> --personal-access-token <token>
  ```
* **GitHub OAuth App Token:**
  ```sh theme={null}
  prowler iac --scan-repository-url https://github.com/user/repo.git \
    --oauth-app-token <oauth_token>
  ```
* If not provided via CLI, the following environment variables will be used (in order of precedence):
  * `GITHUB_OAUTH_APP_TOKEN`
  * `GITHUB_USERNAME` and `GITHUB_PERSONAL_ACCESS_TOKEN`
* If neither CLI flags nor environment variables are set, the scan will attempt to clone without authentication or using the credentials provided in the [git URL](https://git-scm.com/docs/git-clone#_git_urls).

##### Mutually Exclusive Flags

* `--scan-path` and `--scan-repository-url` are mutually exclusive. Only one can be specified at a time.

#### Specify Scanners

To run only specific scanners, use the `--scanners` flag. For example, to scan only for vulnerabilities and misconfigurations:

```sh theme={null}
prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig
```

#### Exclude Paths

```sh theme={null}
prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test ./my-iac-directory/examples
```

### Output

Use the standard Prowler output options. The IaC provider also supports [SARIF](/user-guide/cli/tutorials/reporting#sarif-iac-only) output for GitHub Code Scanning integration:

```sh theme={null}
prowler iac --scan-path ./iac --output-formats csv json-ocsf html
```

#### SARIF Output

<VersionBadge version="5.25.0" />

To generate SARIF output for integration with SARIF-compatible tools:

```sh theme={null}
prowler iac --scan-repository-url https://github.com/user/repo -M sarif
```

See the [SARIF reporting documentation](/user-guide/cli/tutorials/reporting#sarif-iac-only) for details on the format and severity mapping.