Menü
Creates Prowler security checks following SDK architecture patterns. Trigger: When creating or updating a Prowler SDK security check (implementation + metadata) for any provider (AWS, Azure, GCP, K8s, GitHub, etc.).
Basierend auf der SOC-Berufsklassifikation
Keeps product-tour definitions aligned with the UI features they describe. Trigger: When modifying UI components that have associated tours, editing tour definition files, or renaming data-tour-id attributes.
Django REST Framework patterns. Trigger: When implementing generic DRF APIs (ViewSets, serializers, routers, permissions, filtersets). For Prowler API specifics (RLS/RBAC/Providers), also use prowler-api.
Reviews Django migration files for PostgreSQL best practices specific to Prowler. Trigger: When creating migrations, running makemigrations/pgmakemigrations, reviewing migration PRs, adding indexes or constraints to database tables, modifying existing migration files, or writing data backfill migrations. Always use this skill when you see AddIndex, CreateModel, AddConstraint, RunPython, bulk_create, bulk_update, or backfill operations in migration files.
Create and maintain GitHub Agentic Workflows (gh-aw) for Prowler. Trigger: When creating agentic workflows, modifying gh-aw frontmatter, configuring safe-outputs, setting up MCP servers in workflows, importing Copilot Custom Agents, or debugging gh-aw compilation.
Strict JSON:API v1.1 specification compliance. Trigger: When creating or modifying API endpoints, reviewing API responses, or validating JSON:API compliance.
Next.js 16 App Router patterns. Trigger: When working in Next.js App Router (app/), Server Components vs Client Components, Server Actions, Route Handlers, proxy.ts, caching/revalidation, Cache Components, and streaming/Suspense.
| name | prowler-sdk-check |
| description | Creates Prowler security checks following SDK architecture patterns. Trigger: When creating or updating a Prowler SDK security check (implementation + metadata) for any provider (AWS, Azure, GCP, K8s, GitHub, etc.). |
| license | Apache-2.0 |
| metadata | {"author":"prowler-cloud","version":"1.0","scope":["root","sdk"],"auto_invoke":["Creating new checks","Updating existing checks and metadata"]} |
| allowed-tools | Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task |
prowler/providers/{provider}/services/{service}/{check_name}/
├── __init__.py
├── {check_name}.py
└── {check_name}.metadata.json
prowler/providers/{provider}/services/{service}/mkdir -p prowler/providers/{provider}/services/{service}/{check_name}
touch prowler/providers/{provider}/services/{service}/{check_name}/__init__.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.metadata.json
from prowler.lib.check.models import Check, Check_Report_{Provider}
from prowler.providers.{provider}.services.{service}.{service}_client import {service}_client
class {check_name}(Check):
"""Ensure that {resource} meets {security_requirement}."""
def execute(self) -> list[Check_Report_{Provider}]:
"""Execute the check logic.
Returns:
A list of reports containing the result of the check.
"""
findings = []
for resource in {service}_client.{resources}:
report = Check_Report_{Provider}(metadata=self.metadata(), resource=resource)
report.status = "PASS" if resource.is_compliant else "FAIL"
report.status_extended = f"Resource {resource.name} compliance status."
findings.append(report)
return findings
See complete schema below and assets/ folder for complete templates.
For detailed field documentation, see references/metadata-docs.md.
uv run python prowler-cli.py {provider} --list-checks | grep {check_name}
uv run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}
See prowler-test-sdk skill for test patterns (PASS, FAIL, no resources, error handling).
{service}_{resource}_{security_control}
Examples:
ec2_instance_public_ip_disableds3_bucket_encryption_enablediam_user_mfa_enabled{
"Provider": "aws",
"CheckID": "{check_name}",
"CheckTitle": "Human-readable title",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "{service}",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low|medium|high|critical",
"ResourceType": "AwsEc2Instance|Other",
"ResourceGroup": "security|compute|storage|network",
"Description": "**Bold resource name**. Detailed explanation of what this check evaluates and why it matters.",
"Risk": "What happens if non-compliant. Explain attack vectors, data exposure risks, compliance impact.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/..."
],
"Remediation": {
"Code": {
"CLI": "aws {service} {command} --option value",
"NativeIaC": "```yaml\nResources:\n Resource:\n Type: AWS::{Service}::{Resource}\n Properties:\n Key: value # This line fixes the issue\n```",
"Other": "1. Console steps\n2. Step by step",
"Terraform": "```hcl\nresource \"aws_{service}_{resource}\" \"example\" {\n key = \"value\" # This line fixes the issue\n}\n```"
},
"Recommendation": {
"Text": "Detailed recommendation for remediation.",
"Url": "https://hub.prowler.com/check/{check_name}"
}
},
"Categories": [
"identity-access",
"encryption",
"logging",
"forensics-ready",
"internet-exposed",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
| Field | Description |
|---|---|
Provider | Provider name: aws, azure, gcp, kubernetes, github, m365 |
CheckID | Must match class name and folder name |
CheckTitle | Human-readable title |
Severity | low, medium, high, critical |
ServiceName | Service being checked |
Description | What the check evaluates |
Risk | Security impact of non-compliance |
Remediation.Code.CLI | CLI fix command |
Remediation.Recommendation.Text | How to fix |
| Severity | When to Use |
|---|---|
critical | Direct data exposure, RCE, privilege escalation |
high | Significant security risk, compliance violation |
medium | Defense-in-depth, best practice |
low | Informational, minor hardening |
| Status | When to Use |
|---|---|
PASS | Resource is compliant |
FAIL | Resource is non-compliant |
MANUAL | Requires human verification |
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.s3.s3_client import s3_client
class s3_bucket_encryption_enabled(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for bucket in s3_client.buckets.values():
report = Check_Report_AWS(metadata=self.metadata(), resource=bucket)
if bucket.encryption:
report.status = "PASS"
report.status_extended = f"S3 bucket {bucket.name} has encryption enabled."
else:
report.status = "FAIL"
report.status_extended = f"S3 bucket {bucket.name} does not have encryption enabled."
findings.append(report)
return findings
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.ec2.ec2_client import ec2_client
class ec2_instance_hardened(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for instance in ec2_client.instances:
report = Check_Report_AWS(metadata=self.metadata(), resource=instance)
issues = []
if instance.public_ip:
issues.append("has public IP")
if not instance.metadata_options.http_tokens == "required":
issues.append("IMDSv2 not enforced")
if issues:
report.status = "FAIL"
report.status_extended = f"Instance {instance.id} {', '.join(issues)}."
else:
report.status = "PASS"
report.status_extended = f"Instance {instance.id} is properly hardened."
findings.append(report)
return findings
# Verify detection
uv run python prowler-cli.py {provider} --list-checks | grep {check_name}
# Run check
uv run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}
# Run with specific profile/credentials
uv run python prowler-cli.py aws --profile myprofile --check {check_name}
# Run multiple checks
uv run python prowler-cli.py {provider} --check {check1} {check2} {check3}