
Prowler is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
Secure ANY cloud at AI Speed at prowler.com
<a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>

Prowler is the world’s most widely used Open-Source Cloud Security Platform that automates security and compliance across any cloud environment. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to “Secure ANY Cloud at AI Speed”. Prowler delivers AI-driven, customizable, and easy-to-use assessments, dashboards, reports, and integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:
Prowler App / Prowler Cloud is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

For more details, refer to the Prowler App Documentation
prowler <provider>

prowler dashboard

Attack Paths automatically extends every completed AWS scan with a graph that combines Cartography's cloud inventory with Prowler findings. The feature runs in the API worker after each scan.
Two graph backends are supported as the long-lived sink:
neo4j service).Select the sink with ATTACK_PATHS_SINK_DATABASE (neo4j or neptune; default neo4j).
Note: Cartography ingestion always uses a temporary Neo4j database, regardless of the configured sink. The
NEO4J_*variables below must remain set even whenATTACK_PATHS_SINK_DATABASE=neptune.
| Variable | Description | Default |
|---|---|---|
NEO4J_HOST |
Hostname used by the API containers. | neo4j |
NEO4J_PORT |
Bolt port exposed by Neo4j. | 7687 |
NEO4J_USER / NEO4J_PASSWORD |
Credentials with rights to create per-tenant databases. | neo4j / neo4j_password |
| Variable | Description | Default |
|---|---|---|
NEPTUNE_WRITER_ENDPOINT |
Bolt host for the Neptune writer instance. Required when sink is neptune. |
empty |
NEPTUNE_READER_ENDPOINT |
Optional reader endpoint for read-only queries. Falls back to the writer when unset. | empty |
NEPTUNE_PORT |
Bolt port exposed by Neptune. | 8182 |
AWS_REGION |
Region the Neptune cluster lives in. Required when sink is neptune. |
empty |
Neptune authenticates with SigV4 using the standard boto3 credential chain. The worker's IAM role (or AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) supplies the credentials. There is no Neptune password variable.
Every AWS provider scan will enqueue an Attack Paths ingestion job automatically. Other cloud providers will be added in future iterations.
[!Tip] For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit Prowler Hub.
| Provider | Checks | Services | Compliance Frameworks | Categories | Support | Interface |
|---|---|---|---|---|---|---|
| AWS | 615 | 86 | 47 | 19 | Official | UI, API, CLI |
| Azure | 190 | 22 | 21 | 16 | Official | UI, API, CLI |
| GCP | 109 | 20 | 19 | 12 | Official | UI, API, CLI |
| Kubernetes | 90 | 7 | 8 | 11 | Official | UI, API, CLI |
| GitHub | 24 | 3 | 2 | 5 | Official | UI, API, CLI |
| M365 | 109 | 10 | 6 | 10 | Official | UI, API, CLI |
| OCI | 52 | 14 | 5 | 10 | Official | UI, API, CLI |
| Alibaba Cloud | 63 | 9 | 6 | 9 | Official | UI, API, CLI |
| Cloudflare | 29 | 3 | 2 | 5 | Official | UI, API, CLI |
| IaC | See trivy docs. |
N/A | N/A | N/A | Official | UI, API, CLI |
| MongoDB Atlas | 10 | 3 | 1 | 8 | Official | UI, API, CLI |
| LLM | See promptfoo docs. |
N/A | N/A | N/A | Official | CLI |
| Image | N/A | N/A | N/A | N/A | Official | CLI, API |
| Google Workspace | 65 | 11 | 3 | 6 | Official | UI, API, CLI |
| OpenStack | 34 | 5 | 1 | 9 | Official | UI, API, CLI |
| Vercel | 26 | 6 | 1 | 8 | Official | UI, API, CLI |
| Okta | 29 | 8 | 2 | 2 | Official | UI, API, CLI |
| Linode Contact us | 10 | 3 | 1 | 4 | Unofficial | CLI |
| Scaleway Contact us | 1 | 1 | 1 | 1 | Unofficial | CLI |
| StackIT Contact us | 7 | 2 | 1 | 3 | Unofficial | CLI |
| NHN | 6 | 2 | 2 | 0 | Unofficial | CLI |
[!Note] The numbers in the table are updated periodically.
[!Note] Use the following commands to list Prowler's available checks, services, compliance frameworks, and categories: -
prowler <provider> --list-checks-prowler <provider> --list-services-prowler <provider> --list-compliance-prowler <provider> --list-categories
Prowler App offers flexible installation methods tailored to various environments:
For detailed instructions on using Prowler App, refer to the Prowler App Usage Guide.
Docker Compose installed: https://docs.docker.com/compose/install/.macOS/Linux:
VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
docker compose up -d
Windows PowerShell:
$VERSION = (Invoke-RestMethod -Uri "https://api.github.com/repos/prowler-cloud/prowler/releases/latest").tag_name
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/docker-compose.yml" -OutFile "docker-compose.yml"
# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/.env" -OutFile ".env"
docker compose up -d
[!WARNING] 🔒 For a secure setup, the API auto-generates a unique key pair,
DJANGO_TOKEN_SIGNING_KEYandDJANGO_TOKEN_VERIFYING_KEY, and stores it in~/.config/prowler-api(non-container) or the bound Docker volume in_data/api(container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.
Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
[!Note] If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local
.awsdirectory into the container as a volume (e.g.,- "${HOME}/.aws:/home/prowler/.aws:ro"). There are several ways to configure credentials for Docker containers. See the Troubleshooting section for more details and examples.
You can find more information in the Troubleshooting section.
git installed.uv installed: uv installation.pnpm installed: pnpm installation.Docker Compose installed: https://docs.docker.com/compose/install/.git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
docker compose up postgres valkey -d
cd src/backend
python manage.py migrate --database admin
gunicorn -c config/guniconf.py config.wsgi:application
After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.
git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
cd src/backend
python -m celery -A config.celery worker -l info -E
git clone https://github.com/prowler-cloud/prowler
cd prowler/api
uv sync
source .venv/bin/activate
set -a
source .env
cd src/backend
python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
git clone https://github.com/prowler-cloud/prowler
cd prowler/ui
pnpm install
pnpm run build
pnpm start
Once configured, access the Prowler App at http://localh
$ claude mcp add prowler \
-- python -m otcore.mcp_server <graph>