Convert Figma logo to code with AI

prowler-cloud logoprowler

Prowler is the Open Cloud Security platform for AWS, Azure, GCP, Kubernetes, M365 and more. It helps for continuous monitoring, security assessments & audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, ENS and more

11,939
1,765
11,939
145
View on GitHub

Top Related Projects

aquasecurity's avatar

trivy

27,268

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

bridgecrewio's avatar

checkov

7,648

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

gitleaks's avatar

gitleaks

22,775

Find secrets with Gitleaks 🔑

anchore's avatar

grype

10,113

A vulnerability scanner for container images and filesystems

open-policy-agent's avatar

conftest

3,021

Write tests against structured configuration data using the Open Policy Agent Rego query language

tenable's avatar

terrascan

4,964

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Quick Overview

Prowler is an open-source security tool designed to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS, and custom security frameworks.

Pros

  • Comprehensive security assessment with 300+ controls across multiple compliance frameworks
  • Supports multi-account and multi-region scans
  • Integrates with various security tools and platforms (e.g., Amazon Security Hub, Slack, Jira)
  • Regularly updated to include the latest AWS services and security best practices

Cons

  • Primarily focused on AWS, limiting its use for multi-cloud environments
  • Can be resource-intensive when scanning large environments
  • Requires careful configuration to avoid false positives
  • Learning curve for customizing checks and interpreting results

Getting Started

To get started with Prowler, follow these steps:

  1. Install Prowler:
pip install prowler
  1. Configure AWS credentials:
aws configure
  1. Run a basic scan:
prowler aws

For more advanced usage and customization options, refer to the official documentation at https://github.com/prowler-cloud/prowler.

Competitor Comparisons

aquasecurity logo

trivy

27,268

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

  • Broader scope: Scans containers, filesystems, and git repositories for vulnerabilities and misconfigurations
  • Faster scanning speed, especially for large container images
  • Supports multiple operating systems and package managers

Cons of Trivy

  • Less comprehensive cloud security checks compared to Prowler
  • Primarily focused on vulnerability scanning rather than compliance auditing
  • May require additional tools for complete cloud infrastructure assessment

Code Comparison

Trivy CLI command:

trivy image alpine:3.10

Prowler CLI command:

./prowler aws

Trivy focuses on scanning specific targets like container images, while Prowler is designed to perform comprehensive security assessments of AWS environments.

Trivy excels in vulnerability scanning across various platforms and artifacts, making it ideal for DevSecOps pipelines. Prowler, on the other hand, specializes in cloud security auditing and compliance checks, particularly for AWS environments.

Both tools are valuable in their respective domains, with Trivy offering broader vulnerability scanning capabilities and Prowler providing deeper cloud security insights.

bridgecrewio logo

checkov

7,648

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

Pros of Checkov

  • Supports multiple cloud providers and IaC tools (AWS, Azure, GCP, Terraform, CloudFormation, Kubernetes, etc.)
  • Offers a wide range of pre-built policies and custom policy creation
  • Integrates well with CI/CD pipelines and provides clear, actionable output

Cons of Checkov

  • May have a steeper learning curve for users new to IaC security scanning
  • Can produce false positives in some scenarios, requiring manual verification
  • Limited focus on runtime security checks compared to Prowler

Code Comparison

Checkov:

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class S3BucketVersioning(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 bucket has versioning enabled"
        check_id = "CKV_AWS_21"

Prowler:

#!/usr/bin/env bash

# Prowler - the handy cloud security tool (https://github.com/prowler-cloud/prowler)

PROWLER_VERSION="${PROWLER_VERSION:-$(cat ${PROWLER_DIR}/VERSION)}"

Both tools aim to enhance cloud security, but Checkov focuses more on Infrastructure as Code (IaC) scanning across multiple providers, while Prowler specializes in AWS security assessments with some multi-cloud capabilities. Checkov's Python-based approach allows for more flexible policy creation, while Prowler's bash-based structure may be more familiar to system administrators and DevOps engineers.

gitleaks logo

gitleaks

22,775

Find secrets with Gitleaks 🔑

Pros of Gitleaks

  • Specialized in detecting secrets and sensitive information in git repositories
  • Supports scanning local repositories, GitHub organizations, and GitLab groups
  • Highly customizable with regex patterns and rules

Cons of Gitleaks

  • Limited to secret detection, lacking broader security assessment capabilities
  • May produce false positives, requiring manual review of results
  • Doesn't provide remediation suggestions or security best practices

Code Comparison

Gitleaks (Go):

func (d *Detector) Detect(src string) ([]DetectResult, error) {
    var results []DetectResult
    for _, r := range d.Rules {
        matches := r.Regexp.FindAllStringIndex(src, -1)
        for _, match := range matches {
            results = append(results, DetectResult{
                Rule:    r,
                Start:   match[0],
                End:     match[1],
                Secret:  src[match[0]:match[1]],
            })
        }
    }
    return results, nil
}

Prowler (Python):

def run_check(self, check):
    check_metadata = check.metadata()
    if self.audit_info.audit_session_name not in check_metadata.get("excluded_session_names", []):
        finding = check.execute()
        if finding:
            self.findings.append(finding)
    return self.findings

While both tools focus on security, Gitleaks specializes in secret detection within git repositories, whereas Prowler offers a broader range of cloud security assessments, particularly for AWS environments. Gitleaks is more focused and customizable for secret scanning, while Prowler provides a comprehensive security auditing solution for cloud infrastructures.

anchore logo

grype

10,113

A vulnerability scanner for container images and filesystems

Pros of Grype

  • Focused specifically on vulnerability scanning for container images and filesystems
  • Faster scanning speed, especially for large container images
  • Supports a wide range of package ecosystems and vulnerability databases

Cons of Grype

  • Limited to vulnerability scanning, lacks broader security assessment capabilities
  • Does not provide cloud infrastructure security checks
  • Less comprehensive reporting and remediation guidance compared to Prowler

Code Comparison

Grype (scanning a container image):

grype alpine:latest

Prowler (running a security assessment):

./prowler aws

Summary

Grype is a specialized tool for vulnerability scanning in containers and filesystems, offering fast and focused scans across various package ecosystems. It excels in speed and specific vulnerability detection but lacks the broader security assessment capabilities of Prowler.

Prowler, on the other hand, provides a comprehensive security assessment for cloud environments, particularly AWS. It offers a wider range of checks, including compliance and best practices, but may not be as specialized or fast in container vulnerability scanning as Grype.

The choice between these tools depends on the specific security needs of your project: Grype for focused container vulnerability scanning, or Prowler for broader cloud security assessments.

open-policy-agent logo

conftest

3,021

Write tests against structured configuration data using the Open Policy Agent Rego query language

Pros of Conftest

  • More flexible and general-purpose, can be used for various configuration files and policy types
  • Integrates well with other Open Policy Agent tools and ecosystem
  • Supports multiple input formats (YAML, JSON, INI, etc.)

Cons of Conftest

  • Requires learning Rego language for writing policies
  • Less out-of-the-box functionality for cloud security auditing
  • May require more setup and configuration for specific use cases

Code Comparison

Prowler (shell script):

./prowler -p custom-profile -r us-east-1

Conftest (policy testing):

conftest test deployment.yaml

Key Differences

  • Prowler is specifically designed for AWS security auditing, while Conftest is a general-purpose policy testing tool
  • Prowler provides pre-defined checks and reports, whereas Conftest requires custom policy definitions
  • Conftest offers more flexibility in terms of input formats and policy types, but may require more initial setup
  • Prowler is more user-friendly for AWS-specific security assessments, while Conftest has a steeper learning curve but broader applicability

Both tools serve different purposes and can be complementary in a comprehensive security and compliance strategy.

tenable logo

terrascan

4,964

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Pros of Terrascan

  • Broader scope: Supports multiple IaC tools (Terraform, Kubernetes, Helm, Kustomize, Dockerfiles)
  • Policy-as-code approach with Rego language for custom rules
  • Integrates well with CI/CD pipelines and supports various output formats

Cons of Terrascan

  • Less focus on cloud-specific security checks compared to Prowler
  • Steeper learning curve for creating custom policies
  • May require more setup and configuration for comprehensive cloud security audits

Code Comparison

Terrascan (scanning a Terraform file):

terrascan scan -i terraform -f main.tf

Prowler (scanning AWS environment):

./prowler aws

Summary

Terrascan is a versatile IaC security scanner supporting multiple tools, while Prowler specializes in cloud security audits, particularly for AWS. Terrascan offers more flexibility in policy creation but may require more setup for cloud-specific checks. Prowler provides out-of-the-box cloud security audits but is more limited in scope to specific cloud providers.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Prowler is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.

Learn more at prowler.com

Prowler community on Slack
Join our Prowler community!

Slack Shield Python Version Python Version PyPI Prowler Downloads Docker Pulls Docker Docker AWS ECR Gallery

Repo size Issues Version Version Contributors License Twitter Twitter

Description

Prowler is an open-source security tool designed to assess and enforce security best practices across AWS, Azure, Google Cloud, and Kubernetes. It supports tasks such as security audits, incident response, continuous monitoring, system hardening, forensic readiness, and remediation processes.

Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:

  • Industry Standards: CIS, NIST 800, NIST CSF, and CISA
  • Regulatory Compliance and Governance: RBI, FedRAMP, and PCI-DSS
  • Frameworks for Sensitive Data and Privacy: GDPR, HIPAA, and FFIEC
  • Frameworks for Organizational Governance and Quality Control: SOC2 and GXP
  • AWS-Specific Frameworks: AWS Foundational Technical Review (FTR) and AWS Well-Architected Framework (Security Pillar)
  • National Security Standards: ENS (Spanish National Security Scheme)
  • Custom Security Frameworks: Tailored to your needs

Prowler CLI and Prowler Cloud

Prowler offers a Command Line Interface (CLI), known as Prowler Open Source, and an additional service built on top of it, called Prowler Cloud.

Prowler App

Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

Prowler App

For more details, refer to the Prowler App Documentation

Prowler CLI

prowler <provider>

Prowler CLI Execution

Prowler Dashboard

prowler dashboard

Prowler Dashboard

Prowler at a Glance

ProviderChecksServicesCompliance FrameworksCategories
AWS571823610
GCP7913103
Azure16219114
Kubernetes83757
GitHub17210
M36570732
NHN (Unofficial)6210

[!Note] The numbers in the table are updated periodically.

[!Tip] For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit Prowler Hub.

[!Note] Use the following commands to list Prowler's available checks, services, compliance frameworks, and categories: prowler <provider> --list-checks, prowler <provider> --list-services, prowler <provider> --list-compliance and prowler <provider> --list-categories.

💻 Installation

Prowler App

Prowler App offers flexible installation methods tailored to various environments:

For detailed instructions on using Prowler App, refer to the Prowler App Usage Guide.

Docker Compose

Requirements

Commands

curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
docker compose up -d

Containers are built for linux/amd64.

Configuring Your Workstation for Prowler App

If your workstation's architecture is incompatible, you can resolve this by:

  • Setting the environment variable: DOCKER_DEFAULT_PLATFORM=linux/amd64
  • Using the following flag in your Docker command: --platform linux/amd64

Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

Common Issues with Docker Pull Installation

[!Note] If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local .aws directory into the container as a volume (e.g., - "${HOME}/.aws:/home/prowler/.aws:ro"). There are several ways to configure credentials for Docker containers. See the Troubleshooting section for more details and examples.

You can find more information in the Troubleshooting section.

From GitHub

Requirements

Commands to run the API

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
poetry install
eval $(poetry env activate)
set -a
source .env
docker compose up postgres valkey -d
cd src/backend
python manage.py migrate --database admin
gunicorn -c config/guniconf.py config.wsgi:application

[!IMPORTANT] As of Poetry v2.0.0, the poetry shell command has been deprecated. Use poetry env activate instead for environment activation.

If your Poetry version is below v2.0.0, continue using poetry shell to activate your environment. For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

Commands to run the API Worker

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
poetry install
eval $(poetry env activate)
set -a
source .env
cd src/backend
python -m celery -A config.celery worker -l info -E

Commands to run the API Scheduler

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
poetry install
eval $(poetry env activate)
set -a
source .env
cd src/backend
python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler

Commands to run the UI

git clone https://github.com/prowler-cloud/prowler
cd prowler/ui
npm install
npm run build
npm start

Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

Prowler CLI

Pip package

Prowler CLI is available as a project in PyPI. Consequently, it can be installed using pip with Python >3.9.1, <3.13:

pip install prowler
prowler -v

For further guidance, refer to https://docs.prowler.com

Containers

Available Versions of Prowler CLI

The following versions of Prowler CLI are available, depending on your requirements:

  • latest: Synchronizes with the master branch. Note that this version is not stable.
  • v4-latest: Synchronizes with the v4 branch. Note that this version is not stable.
  • v3-latest: Synchronizes with the v3 branch. Note that this version is not stable.
  • <x.y.z> (release): Stable releases corresponding to specific versions. You can find the complete list of releases here.
  • stable: Always points to the latest release.
  • v4-stable: Always points to the latest release for v4.
  • v3-stable: Always points to the latest release for v3.

The container images are available here:

From GitHub

Python >3.9.1, <3.13 is required with pip and Poetry:

git clone https://github.com/prowler-cloud/prowler
cd prowler
eval $(poetry env activate)
poetry install
python prowler-cli.py -v

[!IMPORTANT] To clone Prowler on Windows, configure Git to support long file paths by running the following command: git config core.longpaths true.

[!IMPORTANT] As of Poetry v2.0.0, the poetry shell command has been deprecated. Use poetry env activate instead for environment activation.

If your Poetry version is below v2.0.0, continue using poetry shell to activate your environment. For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

✏️ High level architecture

Prowler App

Prowler App is composed of three key components:

  • Prowler UI: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
  • Prowler API: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
  • Prowler SDK: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.

Prowler App Architecture

Prowler CLI

Running Prowler

Prowler can be executed across various environments, offering flexibility to meet your needs. It can be run from:

  • Your own workstation

  • A Kubernetes Job

  • Google Compute Engine

  • Azure Virtual Machines (VMs)

  • Amazon EC2 instances

  • AWS Fargate or other container platforms

  • CloudShell

And many more environments.

Architecture

Deprecations from v3

General

  • Allowlist now is called Mutelist.
  • The --quiet option has been deprecated. Use the --status flag to filter findings based on their status: PASS, FAIL, or MANUAL.
  • All findings with an INFO status have been reclassified as MANUAL.
  • The CSV output format is standardized across all providers.

Deprecated Output Formats

The following formats are now deprecated:

  • Native JSON has been replaced with JSON in [OCSF] v1.1.0 format, which is standardized across all providers (https://schema.ocsf.io/).

AWS

AWS Flag Deprecation

The flag --sts-endpoint-region has been deprecated due to the adoption of AWS STS regional tokens.

Sending FAIL Results to AWS Security Hub

  • To send only FAILS to AWS Security Hub, use one of the following options: --send-sh-only-fails or --security-hub --status FAIL.

📖 Documentation

Documentation Resources

For installation instructions, usage details, tutorials, and the Developer Guide, visit https://docs.prowler.com/

📃 License

Prowler License Information

Prowler is licensed under the Apache License 2.0, as indicated in each file within the repository. Obtaining a Copy of the License

A copy of the License is available at http://www.apache.org/licenses/LICENSE-2.0