Skip to main content

Documentation Index

Fetch the complete documentation index at: https://prowler-prowler-1359-docs-improve-developer-documentation-f.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Prowler generates security assessment reports in multiple formats, ensuring compatibility with various analysis tools and AWS integrations.

Default Report Generation

By default, Prowler outputs reports in CSV and JSON-OCSF formats: 
prowler <provider> -M csv json-ocsf json-asff html
If you require reports in JSON-ASFF (used by AWS Security Hub), set it using the -M/--output-modes/--output-formats flag, as in the following example: 
prowler <provider> --output-formats json-asff

Compliance Reports

All compliance-related reports are automatically generated when Prowler is executed. These outputs are stored in the /output/compliance directory.

Custom Output Flags

By default, Prowler creates a file inside the output directory named: prowler-output-ACCOUNT_NUM-OUTPUT_DATE.format. However, both the output file name and directory can be personalised:
  • Custom output report name:
You can use the flag -F/--output-filename 
prowler <provider> -M csv json-ocsf json-asff -F <custom_report_name>
  • Custom output directory:
You can use the flag -o/--output-directory 
prowler <provider> -M csv json-ocsf json-asff -o <custom_report_directory>
Both flags can be used simultaneously to provide a custom directory and filename. console prowler <provider> -M csv json-ocsf json-asff \ -F <custom_report_name> -o <custom_report_directory>

Output timestamp format

By default, the timestamp format of the output files is ISO 8601. This can be changed with the flag --unix-timestamp generating the timestamp fields in pure unix timestamp format.

Supported Output Formats

Prowler natively supports the following reporting output formats:
  • CSV
  • JSON-OCSF
  • JSON-ASFF (AWS only)
  • HTML
  • SARIF (IaC only)
Hereunder is the structure for each of the supported report formats by Prowler:

CSV

The CSV format follows a standardized structure across all providers. The following are the available columns:
  • AUTH_METHOD
  • TIMESTAMP
  • ACCOUNT_UID
  • ACCOUNT_NAME
  • ACCOUNT_EMAIL
  • ACCOUNT_ORGANIZATION_UID
  • ACCOUNT_ORGANIZATION_NAME
  • ACCOUNT_TAGS
  • FINDING_UID
  • PROVIDER
  • CHECK_ID
  • CHECK_TITLE
  • CHECK_TYPE
  • STATUS
  • STATUS_EXTENDED
  • MUTED
  • SERVICE_NAME
  • SUBSERVICE_NAME
  • SEVERITY
  • RESOURCE_TYPE
  • RESOURCE_UID
  • RESOURCE_NAME
  • RESOURCE_DETAILS
  • RESOURCE_TAGS
  • PARTITION
  • REGION
  • DESCRIPTION
  • RISK
  • RELATED_URL
  • REMEDIATION_RECOMMENDATION_TEXT
  • REMEDIATION_RECOMMENDATION_URL
  • REMEDIATION_CODE_NATIVEIAC
  • REMEDIATION_CODE_TERRAFORM
  • REMEDIATION_CODE_CLI
  • REMEDIATION_CODE_OTHER
  • COMPLIANCE
  • CATEGORIES
  • DEPENDS_ON
  • RELATED_TO
  • NOTES
  • PROWLER_VERSION
  • ADDITIONAL_URLS

CSV Headers Mapping

The following table shows the mapping between the CSV headers and the the providers fields:
Open Source ConsolidatedAWSGCPAZUREKUBERNETES
auth_methodprofileprincipalidentity_type : identity_idin-cluster/kube-config
providerproviderproviderproviderprovider
account_uidaccount_id / account_arnproject_idsubscription_idcluster
account_nameaccount_nameproject_namesubscription_namecontext:context
account_emailaccount_emailN/AN/AN/A
account_organization_uidaccount_organizations_arnproject_organization_idtenant_idN/A
account_organization_nameaccount_orgproject_organization_display_nametenant_domainN/A
account_tagsaccount_tagsproject_labelssubscription_tagsN/A
partitionpartitionN/Aregion_config.nameN/A
regionregionlocationlocationnamespace:namespace
resource_nameresource_idresource_nameresource_nameresource_name
resource_uidresource_arnresource_idresource_idresource_id
finding_uidfinding_unique_idfinding_unique_idfinding_unique_idfinding_unique_id

JSON-OCSF

The JSON-OCSF output format implements the Detection Finding from the OCSF 
[{
     "message": "Potential secrets found in ECS task definition manufacturer-api with revision 7: Secrets in container manufacturer-api -> Secret Keyword on the environment variable DB_PASSWORD.",
     "metadata": {
         "event_code": "ecs_task_definitions_no_environment_secrets",
         "product": {
             "name": "Prowler",
             "uid": "prowler",
             "vendor_name": "Prowler",
             "version": "5.3.0"
         },
         "profiles": [
             "cloud",
             "datetime"
         ],
         "tenant_uid": "",
         "version": "1.3.0"
     },
     "severity_id": 5,
     "severity": "Critical",
     "status": "New",
     "status_code": "FAIL",
     "status_detail": "Potential secrets found in ECS task definition manufacturer-api with revision 7: Secrets in container manufacturer-api -> Secret Keyword on the environment variable DB_PASSWORD.",
     "status_id": 1,
     "unmapped": {
         "related_url": "",
         "categories": [
             "secrets"
         ],
         "depends_on": [],
         "related_to": [],
         "notes": "",
         "additional_urls": [],
         "compliance": {
             "MITRE-ATTACK": [
                 "T1552"
             ],
             "AWS-Foundational-Security-Best-Practices": [
                 "ecs"
             ],
             "KISA-ISMS-P-2023": [
                 "2.7.1",
                 "2.11.2"
             ],
             "KISA-ISMS-P-2023-korean": [
                 "2.7.1",
                 "2.11.2"
             ],
             "AWS-Well-Architected-Framework-Security-Pillar": [
                 "SEC02-BP03"
             ]
         }
     },
     "activity_name": "Create",
     "activity_id": 1,
     "finding_info": {
         "created_time": 1737995806,
         "created_time_dt": "2025-01-27T17:36:46.855898",
         "desc": "Check if secrets exists in ECS task definitions environment variables.",
         "product_uid": "prowler",
         "title": "Check if secrets exists in ECS task definitions environment variables",
         "types": [
             "Protect",
             "Secure development",
             "Credentials not hard-coded"
         ],
         "uid": "prowler-aws-ecs_task_definitions_no_environment_secrets-123456789012-eu-central-1-manufacturer-api:7"
     },
     "resources": [
         {
             "cloud_partition": "aws",
             "region": "eu-central-1",
             "data": {
                 "details": "",
                 "metadata": {
                     "name": "manufacturer-api",
                     "arn": "arn:aws:ecs:eu-central-1:123456789012:task-definition/manufacturer-api:7",
                     "revision": "7",
                     "region": "eu-central-1",
                     "container_definitions": [
                         {
                             "name": "manufacturer-api",
                             "privileged": false,
                             "readonly_rootfilesystem": false,
                             "user": "",
                             "environment": [
                                 {
                                     "name": "DB_HOST",
                                     "value": "some.cluster.eu-central-1.rds.amazonaws.com"
                                 },
                                 {
                                     "name": "DB_PASSWORD",
                                     "value": "somePassword"
                                 }
                             ],
                             "log_driver": "",
                             "log_option": ""
                         }
                     ],
                     "pid_mode": "",
                     "tags": [],
                     "network_mode": "awsvpc"
                 }
             },
             "group": {
                 "name": "ecs"
             },
             "labels": [],
             "name": "manufacturer-api:7",
             "type": "AwsEcsTaskDefinition",
             "uid": "arn:aws:ecs:eu-central-1:123456789012:task-definition/manufacturer-api:7"
         }
     ],
     "category_name": "Findings",
     "category_uid": 2,
     "class_name": "Detection Finding",
     "class_uid": 2004,
     "cloud": {
         "account": {
             "name": "",
             "type": "AWS Account",
             "type_id": 10,
             "uid": "123456789012",
             "labels": []
         },
         "org": {
             "name": "",
             "uid": ""
         },
         "provider": "aws",
         "region": "eu-central-1"
     },
     "remediation": {
         "desc": "Use Secrets Manager or Parameter Store to securely provide credentials to containers without hardcoding the secrets in code or passing them through environment variables. It is currently not possible to delete task definition revisions which contain plaintext secrets. AWS is looking into implementing this feature in 2023, and it is therefore recommended that all plaintext secrets are rotated at the same time as moving the secrets to Secrets Manager or Parameter Store.",
         "references": [
             "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html"
         ]
     },
     "risk_details": "The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
     "time": 1737995806,
     "time_dt": "2025-01-27T17:36:46.855898",
     "type_uid": 200401,
     "type_name": "Detection Finding: Create"
 }]
Each finding is a json object within a list.

JSON-ASFF (AWS Only)

Only available when using --security-hub or --output-formats json-asff with the AWS provider.
The following code is an example output of the JSON-ASFF format: 
[{
    "SchemaVersion": "2018-10-08",
    "Id": "prowler-rds_instance_minor_version_upgrade_enabled-ACCOUNT_ID-eu-west-1-b1ade474a",
    "ProductArn": "arn:aws:securityhub:eu-west-1::product/prowler/prowler",
    "RecordState": "ACTIVE",
    "ProductFields": {
        "ProviderName": "Prowler",
        "ProviderVersion": "3.0-beta-21Nov2022",
        "ProwlerResourceName": "rds-instance-id"
    },
    "GeneratorId": "prowler-rds_instance_minor_version_upgrade_enabled",
    "AwsAccountId": "ACCOUNT_ID",
    "Types": [],
    "FirstObservedAt": "2022-12-01T13:16:57Z",
    "UpdatedAt": "2022-12-01T13:16:57Z",
    "CreatedAt": "2022-12-01T13:16:57Z",
    "Severity": {
        "Label": "LOW"
    },
    "Title": "Ensure RDS instances have minor version upgrade enabled.",
    "Description": "Ensure RDS instances have minor version upgrade enabled.",
    "Resources": [
        {
            "Type": "AwsRdsDbInstance",
            "Id": "rds-instance-id",
            "Partition": "aws",
            "Region": "eu-west-1"
        }
    ],
    "Compliance": {
        "Status": "PASSED",
        "RelatedRequirements": [
            "CISA your-systems-2 booting-up-thing-to-do-first-3",
            "CIS-1.5 2.3.2",
            "AWS-Foundational-Security-Best-Practices rds",
            "RBI-Cyber-Security-Framework annex_i_6",
            "FFIEC d3-cc-pm-b-1 d3-cc-pm-b-3"
        ],
        "AssociatedStandards": [
            {
                "StandardsId": "CISA"
            },
            {
                "StandardsId": "CIS-1.5"
            },
            {
                "StandardsId": "AWS-Foundational-Security-Best-Practices"
            },
            {
                "StandardsId": "RBI-Cyber-Security-Framework"
            },
            {
                "StandardsId": "FFIEC"
            }
        ]
    },
    "Remediation": {
        "Recommendation": {
            "Text": "Enable auto minor version upgrade for all databases and environments.",
            "Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
        }
    }
}]
Each finding is a json object within a list.

HTML

The following image is an example of the HTML output:

SARIF (IaC Only)

The SARIF (Static Analysis Results Interchange Format) output generates a SARIF 2.1.0 document compatible with GitHub Code Scanning and other SARIF-compatible tools. This format is exclusively available for the IaC provider, as it is designed for static analysis results that reference specific files and line numbers. 
prowler iac --scan-repository-url https://github.com/user/repo -M sarif
The SARIF output format is only available when using the iac provider. Attempting to use it with other providers results in an error.
The SARIF output includes:
  • Rules: Each unique check ID produces a rule entry with severity, description, remediation, and a markdown help panel.
  • Results: Only failed (non-muted) findings are included, with file paths and line numbers for precise annotation.
  • Severity mapping: Prowler severities map to SARIF levels (critical/higherror, mediumwarning, low/informationalnote).

V4 Deprecations

Some deprecations have been made to unify formats and improve outputs.

JSON

Native JSON format has been deprecated in favor of JSON OCSF v1.1.0. The following is the mapping between the native JSON and the Detection Finding from the JSON-OCSF:
Native JSON Prowler v3JSON-OCSF v.1.1.0
AssessmentStartTimetime_dt
FindingUniqueIdfinding_info.uid
Providercloud.provider
CheckIDmetadata.event_code
CheckTitlefinding_info.title
CheckTypefinding_info.types
ServiceNameresources.group.name
SubServiceNameNot mapped yet
Statusstatus_code
StatusExtendedstatus_detail
Severityseverity
ResourceTyperesources.type
ResourceDetailsresources.data.details
Descriptionfinding_info.desc
Riskrisk_details
RelatedUrlunmapped.related_url
Remediation.Recommendation.Textremediation.desc
Remediation.Recommendation.Urlremediation.references
Remediation.Code.NativeIaCremediation.references
Remediation.Code.Terraformremediation.references
Remediation.Code.CLIremediation.references
Remediation.Code.Otherremediation.references
Complianceunmapped.compliance
Categoriesunmapped.categories
DependsOnunmapped.depends_on
RelatedTounmapped.related_to
AdditionalURLsunmapped.additional_urls
Notesunmapped.notes
ProfileNot mapped yet
AccountIdcloud.account.uid
OrganizationsInfo.account_namecloud.account.name
OrganizationsInfo.account_emailNot mapped yet
OrganizationsInfo.account_arnNot mapped yet
OrganizationsInfo.account_orgcloud.org.name
OrganizationsInfo.account_tagscloud.account.labels
Regionresources.region
ResourceIdresources.name
ResourceArnresources.uid
ResourceTagsresources.labels

CSV Columns

In Prowler v3 each provider had some specific columns, different from the rest. These are the cases that have changed in Prowler v4:
Providerv3v4
AWSPROFILEAUTH_METHOD
AWSACCOUNT_IDACCOUNT_UID
AWSACCOUNT_ORGANIZATION_ARNACCOUNT_ORGANIZATION_UID
AWSACCOUNT_ORGACCOUNT_ORGANIZATION_NAME
AWSFINDING_UNIQUE_IDFINDING_UID
AWSASSESSMENT_START_TIMETIMESTAMP
AZURETENANT_DOMAINACCOUNT_ORGANIZATION_NAME
AZURESUBSCRIPTIONACCOUNT_UID
GCPPROJECT_IDACCOUNT_UID
GCPLOCATIONREGION
AWS / AZURE / GCPRESOURCE_IDRESOURCE_NAME
AWS / AZURE / GCPRESOURCE_ARNRESOURCE_UID