MCPcopy
hub / github.com/prowler-cloud/prowler

github.com/prowler-cloud/prowler @5.32.0 sqlite

repository ↗ · DeepWiki ↗ · release 5.32.0 ↗
32,894 symbols 185,457 edges 8,064 files 8,301 documented · 25%
README

Prowler logo Prowler logo

Prowler is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.

Secure ANY cloud at AI Speed at prowler.com

Prowler community on Slack

Join our Prowler community!


Slack Shield Python Version Python Version PyPI Downloads Docker Pulls AWS ECR Gallery Codecov coverage Linux Foundation insights health score

<a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>

Version Contributors Issues License Twitter Twitter


Prowler Cloud demo

Description

Prowler is the world’s most widely used Open-Source Cloud Security Platform that automates security and compliance across any cloud environment. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to “Secure ANY Cloud at AI Speed”. Prowler delivers AI-driven, customizable, and easy-to-use assessments, dashboards, reports, and integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.

Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:

  • Prowler ThreatScore: Weighted risk prioritization scoring that helps you focus on the most critical security findings first
  • Industry Standards: CIS, NIST 800, NIST CSF, CISA, and MITRE ATT&CK
  • Regulatory Compliance and Governance: RBI, FedRAMP, PCI-DSS, and NIS2
  • Frameworks for Sensitive Data and Privacy: GDPR, HIPAA, and FFIEC
  • Frameworks for Organizational Governance and Quality Control: SOC2, GXP, and ISO 27001
  • Cloud-Specific Frameworks: AWS Foundational Technical Review (FTR), AWS Well-Architected Framework, and BSI C5
  • National Security Standards: ENS (Spanish National Security Scheme) and KISA ISMS-P (Korean)
  • Custom Security Frameworks: Tailored to your needs

Prowler App / Prowler Cloud

Prowler App / Prowler Cloud is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

Prowler App Risk Pipeline Threat Map

For more details, refer to the Prowler App Documentation

Prowler CLI

prowler <provider>

Prowler CLI Execution

Prowler Dashboard

prowler dashboard

Prowler Dashboard

Attack Paths

Attack Paths automatically extends every completed AWS scan with a graph that combines Cartography's cloud inventory with Prowler findings. The feature runs in the API worker after each scan.

Two graph backends are supported as the long-lived sink:

  • Neo4j (default; the Docker Compose files already ship a neo4j service).
  • Amazon Neptune (cloud-managed; opt-in).

Select the sink with ATTACK_PATHS_SINK_DATABASE (neo4j or neptune; default neo4j).

Note: Cartography ingestion always uses a temporary Neo4j database, regardless of the configured sink. The NEO4J_* variables below must remain set even when ATTACK_PATHS_SINK_DATABASE=neptune.

Neo4j sink

Variable Description Default
NEO4J_HOST Hostname used by the API containers. neo4j
NEO4J_PORT Bolt port exposed by Neo4j. 7687
NEO4J_USER / NEO4J_PASSWORD Credentials with rights to create per-tenant databases. neo4j / neo4j_password

Neptune sink

Variable Description Default
NEPTUNE_WRITER_ENDPOINT Bolt host for the Neptune writer instance. Required when sink is neptune. empty
NEPTUNE_READER_ENDPOINT Optional reader endpoint for read-only queries. Falls back to the writer when unset. empty
NEPTUNE_PORT Bolt port exposed by Neptune. 8182
AWS_REGION Region the Neptune cluster lives in. Required when sink is neptune. empty

Neptune authenticates with SigV4 using the standard boto3 credential chain. The worker's IAM role (or AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) supplies the credentials. There is no Neptune password variable.

Every AWS provider scan will enqueue an Attack Paths ingestion job automatically. Other cloud providers will be added in future iterations.

Prowler at a Glance

[!Tip] For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit Prowler Hub.

Provider Checks Services Compliance Frameworks Categories Support Interface
AWS 615 86 47 19 Official UI, API, CLI
Azure 190 22 21 16 Official UI, API, CLI
GCP 109 20 19 12 Official UI, API, CLI
Kubernetes 90 7 8 11 Official UI, API, CLI
GitHub 24 3 2 5 Official UI, API, CLI
M365 109 10 6 10 Official UI, API, CLI
OCI 52 14 5 10 Official UI, API, CLI
Alibaba Cloud 63 9 6 9 Official UI, API, CLI
Cloudflare 29 3 2 5 Official UI, API, CLI
IaC See trivy docs. N/A N/A N/A Official UI, API, CLI
MongoDB Atlas 10 3 1 8 Official UI, API, CLI
LLM See promptfoo docs. N/A N/A N/A Official CLI
Image N/A N/A N/A N/A Official CLI, API
Google Workspace 65 11 3 6 Official UI, API, CLI
OpenStack 34 5 1 9 Official UI, API, CLI
Vercel 26 6 1 8 Official UI, API, CLI
Okta 29 8 2 2 Official UI, API, CLI
Linode Contact us 10 3 1 4 Unofficial CLI
Scaleway Contact us 1 1 1 1 Unofficial CLI
StackIT Contact us 7 2 1 3 Unofficial CLI
NHN 6 2 2 0 Unofficial CLI

[!Note] The numbers in the table are updated periodically.

[!Note] Use the following commands to list Prowler's available checks, services, compliance frameworks, and categories: - prowler <provider> --list-checks - prowler <provider> --list-services - prowler <provider> --list-compliance - prowler <provider> --list-categories

💻 Installation

Prowler App

Prowler App offers flexible installation methods tailored to various environments:

For detailed instructions on using Prowler App, refer to the Prowler App Usage Guide.

Docker Compose

Requirements

  • Docker Compose installed: https://docs.docker.com/compose/install/.

Commands

macOS/Linux:

VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
docker compose up -d

Windows PowerShell:

$VERSION = (Invoke-RestMethod -Uri "https://api.github.com/repos/prowler-cloud/prowler/releases/latest").tag_name
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/docker-compose.yml" -OutFile "docker-compose.yml"
# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/.env" -OutFile ".env"
docker compose up -d

[!WARNING] 🔒 For a secure setup, the API auto-generates a unique key pair, DJANGO_TOKEN_SIGNING_KEY and DJANGO_TOKEN_VERIFYING_KEY, and stores it in ~/.config/prowler-api (non-container) or the bound Docker volume in _data/api (container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.

Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

Common Issues with Docker Pull Installation

[!Note] If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local .aws directory into the container as a volume (e.g., - "${HOME}/.aws:/home/prowler/.aws:ro"). There are several ways to configure credentials for Docker containers. See the Troubleshooting section for more details and examples.

You can find more information in the Troubleshooting section.

From GitHub

Requirements

Commands to run the API

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
docker compose up postgres valkey -d
cd src/backend
python manage.py migrate --database admin
gunicorn -c config/guniconf.py config.wsgi:application

After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

Commands to run the API Worker

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
cd src/backend
python -m celery -A config.celery worker -l info -E

Commands to run the API Scheduler

git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
cd src/backend
python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler

Commands to run the UI

git clone https://github.com/prowler-cloud/prowler
cd prowler/ui
pnpm install
pnpm run build
pnpm start

Once configured, access the Prowler App at http://localh

Extension points exported contracts — how you extend this code

FindingGroupAttributes (Interface)
* API response shape for a finding group (JSON:API). * Each group represents a unique check_id with aggregated counts.
ui/actions/finding-groups/finding-groups.adapter.ts
CustomCheckboxMutedFindingsBatchProps (Interface)
Batch mode: caller controls both the checked state and the notification callback (all-or-nothing).
ui/components/filters/custom-checkbox-muted-findings.tsx
DescribeToolInput (Interface)
Input type for describe_tool
ui/lib/lighthouse/tools/meta-tool.ts
ProviderTypeSelectorBaseProps (Interface)
Common props shared by both batch and instant modes.
ui/app/(prowler)/_overview/_components/provider-type-selector.tsx
CustomJwtPayload (Interface)
(no doc)
ui/auth.config.ts
User (Interface)
(no doc)
ui/nextauth.d.ts
ProcessorAttributes (Interface)
(no doc)
ui/types/processors.ts
PageReadyState (Interface)
(no doc)
ui/store/page-ready.ts

Core symbols most depended-on inside this repo

patch
called by 13309
mcp_server/prowler_mcp_server/prowler_app/utils/api_client.py
get
called by 6163
ui/lib/tours/store/tour-completion-store.ts
set_mocked_aws_provider
called by 3322
tests/providers/aws/utils.py
metadata
called by 1754
prowler/lib/check/models.py
set_mocked_azure_provider
called by 1103
tests/providers/azure/azure_fixtures.py
set
called by 710
ui/lib/tours/store/local-storage-adapter.ts
set_mocked_m365_provider
called by 694
tests/providers/m365/m365_fixtures.py
create
called by 662
api/src/backend/api/v1/views.py

Shape

Method 19,184
Class 6,456
Function 5,217
Route 1,023
Interface 1,012
Enum 2

Languages

Python87%
TypeScript13%

Modules by API surface

api/src/backend/api/tests/test_views.py808 symbols
api/src/backend/api/v1/serializers.py403 symbols
api/src/backend/api/v1/views.py327 symbols
tests/providers/aws/services/iam/lib/policy_test.py272 symbols
tests/providers/external/test_dynamic_provider_loading.py263 symbols
api/src/backend/api/models.py196 symbols
api/src/backend/tasks/tests/test_reports_base.py179 symbols
api/src/backend/tasks/tests/test_scan.py178 symbols
tests/providers/image/image_provider_test.py172 symbols
tests/lib/cli/parser_test.py165 symbols
api/src/backend/api/filters.py151 symbols
tests/providers/aws/aws_provider_test.py141 symbols

Dependencies from manifests, versioned

@ai-sdk/react3.0.205 · 1×
@aws-sdk/client-bedrock-runtime3.1045.0 · 1×
@codemirror/state6.6.0 · 1×
@codemirror/view6.40.0 · 1×
@dagrejs/dagre3.0.0 · 1×
@extractus/feed-extractor7.1.7 · 1×
@heroui/react2.8.4 · 1×
@hookform/resolvers5.2.2 · 1×
@iconify/react5.2.1 · 1×
@langchain/aws1.3.7 · 1×
@langchain/core1.1.45 · 1×

Datastores touched

(mongodb)Database · 1 repos
db-tenant-test-tenant-idDatabase · 1 repos
(mysql)Database · 1 repos
appdbDatabase · 1 repos

For agents

$ claude mcp add prowler \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact