Prowler

5.24.0 · active · verified Thu Apr 16

Prowler is an Open Source Cloud Security Platform that automates security and compliance across AWS, GCP, Azure, Kubernetes, Microsoft 365, GitHub, Infrastructure as Code, and MongoDB Atlas environments. It provides hundreds of ready-to-use security checks aligned with various compliance frameworks like CIS, NIST, PCI-DSS, SOC2, and AWS Well-Architected. Currently at version 5.24.0, Prowler has a regular release cadence, with minor versions released frequently, often weekly or bi-weekly, to introduce new features, checks, and bug fixes.

Common errors

```
prowler: command not found
```
cause Prowler is not installed, or its installation directory is not in your system's PATH.

fix Install Prowler using `pip install prowler`. If already installed, ensure your PATH environment variable includes the directory where pip installs executables (e.g., `~/.local/bin` on Linux/macOS, or the Python `Scripts` directory on Windows).
```
No credentials found for AWS. Configure your credentials to run Prowler. See https://docs.prowler.com/en/latest/references/authentication/ for more info.
```
cause Prowler could not find valid AWS credentials in the expected locations (environment variables, `~/.aws/credentials`, IAM roles).

fix Configure your AWS credentials using the AWS CLI (`aws configure`) or by setting environment variables (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`). Ensure the principal running Prowler has sufficient permissions.
```
ModuleNotFoundError: No module named 'prowler'
```
cause Attempting to import `prowler` as a Python module directly, but it's designed primarily as a CLI tool and its core scanning logic is not exposed for general library imports in this manner.

fix Prowler is meant to be run as a command-line tool. To execute it from Python, use `subprocess.run(['prowler', ...])` to invoke the CLI. If you are developing custom checks or extending Prowler, refer to the Prowler documentation for its SDK and internal module structure.

Warnings

gotcha Distinction between Prowler CLI (Open Source) and Prowler Cloud/App. Many new features and multi-account management capabilities highlighted in recent releases (e.g., AWS Organizations improvements, Google Workspace integration) are exclusive to the commercial Prowler Cloud/App offering, which provides a web UI and additional features. The CLI remains a powerful open-source tool, but it's important to understand this distinction when reviewing release notes.
Fix: Refer to the official documentation (docs.prowler.com) and GitHub README (github.com/prowler-cloud/prowler) to understand which features apply to the open-source CLI versus Prowler Cloud.
breaking Prowler v3 deprecated the direct HTML output page. Users accustomed to a quick HTML overview from older versions will find this functionality removed, requiring different methods (e.g., the local dashboard or parsing JSON/CSV outputs) to visualize results.
Fix: After running a scan, use `prowler dashboard` to launch a local web UI for visualizing findings. Alternatively, process JSON or CSV output files programmatically or with other tools.
gotcha Limited disk space in AWS CloudShell (1GB) can hinder Prowler operations. Running extensive scans or generating large output files in CloudShell may lead to disk space exhaustion, preventing Prowler from completing or saving results.
Fix: For large environments, consider running Prowler from an EC2 instance, a Docker container with more allocated storage, or a local machine. If using CloudShell, narrow the scan scope (e.g., specific checks or services) and regularly clear old output files. Zip outputs for easier download.
deprecated Poetry's `poetry shell` command is deprecated in versions 2.0.0 and above. Users activating Prowler within a Poetry environment should use the updated command.
Fix: Replace `poetry shell` with `poetry env activate` to activate the Poetry virtual environment for Prowler.

Install

pip install prowler Install Prowler CLI

Imports

Prowler CLI
```
import subprocess
subprocess.run(["prowler", "aws"])
```
Prowler is primarily a command-line interface (CLI) tool. Direct Python imports for running scans are not typical for end-users; the common pattern is to invoke the `prowler` command via a shell or `subprocess`. The `Prowler SDK` exists for advanced extensibility, but its direct use for routine scanning is less common.

Quickstart

This quickstart demonstrates how to run a basic Prowler AWS scan using Python's `subprocess` module. Prowler automatically uses configured cloud credentials (e.g., from AWS CLI, environment variables, or IAM roles). The example runs a specific check for brevity, but you can configure full scans or compliance frameworks using various CLI flags. Output is captured for programmatic access.

import subprocess
import os

# Ensure AWS credentials are configured (e.g., via AWS CLI or environment variables)
# Example: export AWS_ACCESS_KEY_ID='AKIA...'
#          export AWS_SECRET_ACCESS_KEY='...'
#          export AWS_SESSION_TOKEN='...'

print("Running a basic Prowler scan for AWS. This may take a while...")

try:
    # Run a basic AWS scan and output to the terminal
    # For a full scan, remove --checks CHECK_AWS_EC2_01. For specific frameworks, use --compliance.
    result = subprocess.run(
        ["prowler", "aws", "--checks", "CHECK_AWS_EC2_01", "--output-modes", "json", "text"],
        capture_output=True, text=True, check=True
    )
    print("Scan completed successfully.")
    print("--- Standard Output ---")
    print(result.stdout)
    if result.stderr:
        print("--- Standard Error ---")
        print(result.stderr)
except subprocess.CalledProcessError as e:
    print(f"An error occurred during the Prowler scan: {e}")
    print(f"Command: {e.cmd}")
    print(f"Return Code: {e.returncode}")
    print(f"Output: {e.stdout}")
    print(f"Error Output: {e.stderr}")
except FileNotFoundError:
    print("Error: 'prowler' command not found. Please ensure Prowler is installed and in your PATH.")

view raw JSON →