Using Powerpipe

Powerpipe is a benchmarking and compliance tool built on top of Steampipe. It runs CIS, SOC2, NIST, and other compliance benchmarks against live cloud environments using SQL queries, and produces reports in multiple formats. It replaces the older Steampipe dashboard interface.

• Runs CIS, SOC2, NIST, PCI-DSS, and other compliance benchmarks
• Supports AWS, Azure, GCP, and Kubernetes via Steampipe plugins
• Outputs to HTML, PPS snapshot, and plain text
• Requires Steampipe to be running as a backend service

Prepare the Environment

Powerpipe and its modules are updated at container image start-up. No manual setup is required.

Powerpipe does not handle cloud authentication. Authenticate to your provider before running. See Cloud Authentication via CLI.

cd /opt/Powerpipe/
steampipe service start    # must be running before executing benchmarks

Modules are located in /opt/Powerpipe/. Review each module's documentation for provider-specific configuration.

Gather Data

List Available Benchmarks

powerpipe benchmark list

Filter for Specific Benchmarks

powerpipe benchmark list | grep cis
powerpipe benchmark list | grep aws

Run a Benchmark

# Save as PPS snapshot (viewable in Powerpipe dashboard)
powerpipe benchmark run aws_compliance.benchmark.cis_v600 --output pps >report.pps

# Save as HTML
powerpipe benchmark run aws_compliance.benchmark.cis_v600 --output html >report.html

# Save as text (with colour, requires unbuffer)
unbuffer powerpipe benchmark run aws_compliance.benchmark.cis_v600 --output txt >report.txt

Report Files

Report files will be generated in the current folder, move these to /output/ and then out of the container

Review a PPS Snapshot

1. Run powerpipe server --listen network inside the container
2. Navigate to http://localhost:9033
3. Select Open Snapshot and load the .pps file

Known Issues

TBC

Additional Information

• GitHub Repo