docs: review and fix documentation coverage for provider CLI flags (#10040)

2026-03-22 03:08:23 +00:00 · 2026-03-03 09:57:05 +01:00
parent 150abce4a8
commit efcbbf63c2
10 changed files with 67 additions and 16 deletions
--- a/docs/user-guide/providers/alibabacloud/authentication.mdx
+++ b/docs/user-guide/providers/alibabacloud/authentication.mdx
@@ -16,23 +16,33 @@ Prowler requires Alibaba Cloud credentials to perform security checks. Authentic

 ### Credentials URI (Recommended for Centralized Services)

-If `--credentials-uri` is provided (or `ALIBABA_CLOUD_CREDENTIALS_URI` environment variable), Prowler will retrieve credentials from the specified external URI endpoint. The URI must return credentials in the standard JSON format.
+Prowler can retrieve credentials from an external URI endpoint. Provide the URI via the `--credentials-uri` flag or the `ALIBABA_CLOUD_CREDENTIALS_URI` environment variable. The URI must return credentials in the standard JSON format.

 ```bash
+# Using CLI flag
+prowler alibabacloud --credentials-uri http://localhost:8080/credentials
+
+# Or using environment variable
 export ALIBABA_CLOUD_CREDENTIALS_URI="http://localhost:8080/credentials"
 prowler alibabacloud
 ```

 ### OIDC Role Authentication (Recommended for ACK/Kubernetes)

-If OIDC environment variables are set, Prowler will use OIDC authentication to assume the specified role. This is the most secure method for containerized applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled.
+OIDC authentication assumes the specified role using an OIDC token. This is the most secure method for containerized applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled.
+
+The role ARN can be provided via the `--oidc-role-arn` flag or the `ALIBABA_CLOUD_ROLE_ARN` environment variable. The OIDC provider ARN and token file must be set via environment variables:

-Required environment variables:
- `ALIBABA_CLOUD_ROLE_ARN`
 - `ALIBABA_CLOUD_OIDC_PROVIDER_ARN`
 - `ALIBABA_CLOUD_OIDC_TOKEN_FILE`

 ```bash
+# Using CLI flag for role ARN
+export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
+export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
+prowler alibabacloud --oidc-role-arn acs:ram::123456789012:role/YourRole
+
+# Or using all environment variables
 export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/YourRole"
 export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
 export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
@@ -54,9 +64,17 @@ prowler alibabacloud

 ### RAM Role Assumption (Recommended for Cross-Account)

-For cross-account access, use RAM role assumption. You must provide the initial credentials (access keys) and the target role ARN.
+For cross-account access, use RAM role assumption. Provide the initial credentials (access keys) via environment variables and the target role ARN via the `--role-arn` flag or the `ALIBABA_CLOUD_ROLE_ARN` environment variable.
+
+The `--role-session-name` flag customizes the session identifier (defaults to `ProwlerAssessmentSession`).

 ```bash
+# Using CLI flags
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+prowler alibabacloud --role-arn acs:ram::123456789012:role/ProwlerAuditRole --role-session-name MyAuditSession
+
+# Or using all environment variables
 export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
 export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
 export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
--- a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
+++ b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
@@ -117,6 +117,12 @@ prowler alibabacloud
 #### RAM Role Assumption

 ```bash
+# Using --role-arn CLI flag
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+prowler alibabacloud --role-arn acs:ram::123456789012:role/ProwlerAuditRole
+
+# Or using environment variables
 export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
 export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
 export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
--- a/docs/user-guide/providers/gcp/getting-started-gcp.mdx
+++ b/docs/user-guide/providers/gcp/getting-started-gcp.mdx
@@ -135,3 +135,16 @@ prowler gcp --impersonate-service-account <service-account-email>
 ```

 More details on authentication methods in the [Authentication](/user-guide/providers/gcp/authentication) page.
+
+### Skip API Check
+
+By default, Prowler verifies which Google Cloud APIs are enabled before running checks for each service. To skip this verification and assume all APIs are active, use the `--skip-api-check` flag:
+
+```console
+prowler gcp --skip-api-check
+```
+
+<Note>
+This is useful when the authenticated principal lacks the `serviceusage.services.list` permission but has access to individual service APIs.
+
+</Note>
--- a/docs/user-guide/providers/iac/getting-started-iac.mdx
+++ b/docs/user-guide/providers/iac/getting-started-iac.mdx
@@ -135,7 +135,7 @@ prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig
 #### Exclude Paths

 ```sh
-prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
+prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test ./my-iac-directory/examples
 ```

 ### Output
--- a/docs/user-guide/providers/microsoft365/getting-started-m365.mdx
+++ b/docs/user-guide/providers/microsoft365/getting-started-m365.mdx
@@ -127,4 +127,18 @@ Include PowerShell module initialization to run every check:
 prowler m365 --sp-env-auth --init-modules
 ```

+### Region Selection
+
+By default, Prowler connects to the global Microsoft 365 environment (`M365Global`). To target a different cloud environment, use the `--region` flag:
+
+```console
+prowler m365 --sp-env-auth --region M365USGovernment
+```
+
+Available regions:
+
+* **M365Global** (default): Standard commercial cloud
+* **M365China**: China-operated cloud (21Vianet)
+* **M365USGovernment**: US Government cloud (GCC High)
+
 ---
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -71,6 +71,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - VPC endpoint service collection filtering third-party services that caused AccessDenied errors on `DescribeVpcEndpointServicePermissions` [(#10152)](https://github.com/prowler-cloud/prowler/pull/10152)
 - Handle serialization errors in OCSF output for non-serializable resource metadata [(#10129)](https://github.com/prowler-cloud/prowler/pull/10129)
 - Respect `AWS_ENDPOINT_URL` environment variable for STS session creation [(#10228)](https://github.com/prowler-cloud/prowler/pull/10228)
+- Help text and typos in CLI flags [(#10040)](https://github.com/prowler-cloud/prowler/pull/10040)
+

 ### 🔐 Security

--- a/prowler/providers/aws/lib/arguments/arguments.py
+++ b/prowler/providers/aws/lib/arguments/arguments.py
@@ -80,7 +80,7 @@ def init_parser(self):
        "--security-hub",
        "-S",
        action="store_true",
-        help="Send check output to AWS Security Hub and save json-asff outuput.",
+        help="Send check output to AWS Security Hub and save json-asff output.",
    )
    aws_security_hub_subparser.add_argument(
        "--skip-sh-update",
--- a/prowler/providers/iac/lib/arguments/arguments.py
+++ b/prowler/providers/iac/lib/arguments/arguments.py
@@ -37,14 +37,14 @@ def init_parser(self):
        nargs="+",
        default=["misconfig", "secret"],
        choices=SCANNERS_CHOICES,
-        help="Comma-separated list of scanners to scan. Default: misconfig, secret",
+        help="Space-separated list of scanners to scan. Default: misconfig secret",
    )
    iac_scan_subparser.add_argument(
        "--exclude-path",
        dest="exclude_path",
        nargs="+",
        default=[],
-        help="Comma-separated list of paths to exclude from the scan. Default: none",
+        help="Space-separated list of paths to exclude from the scan. Default: none",
    )

    iac_scan_subparser.add_argument(
--- a/prowler/providers/m365/lib/arguments/arguments.py
+++ b/prowler/providers/m365/lib/arguments/arguments.py
@@ -62,7 +62,7 @@ def init_parser(self):
        default="M365Global",
        choices=[
            "M365Global",
-            "M365GlobalChina",
+            "M365China",
            "M365USGovernment",
        ],
        help="Microsoft 365 region to be used, default is M365Global",
--- a/tests/providers/m365/lib/arguments/m365_arguments_test.py
+++ b/tests/providers/m365/lib/arguments/m365_arguments_test.py
@@ -288,7 +288,7 @@ class TestM365Arguments:
        assert kwargs["default"] == "M365Global"
        assert kwargs["choices"] == [
            "M365Global",
-            "M365GlobalChina",
+            "M365China",
            "M365USGovernment",
        ]
        assert "Microsoft 365 region" in kwargs["help"]
@@ -423,11 +423,9 @@ class TestM365ArgumentsIntegration:
        args = parser.parse_args(["m365", "--az-cli-auth"])
        assert args.region == "M365Global"

-        # Test M365GlobalChina
-        args = parser.parse_args(
-            ["m365", "--az-cli-auth", "--region", "M365GlobalChina"]
-        )
-        assert args.region == "M365GlobalChina"
+        # Test M365China
+        args = parser.parse_args(["m365", "--az-cli-auth", "--region", "M365China"])
+        assert args.region == "M365China"

        # Test M365USGovernment
        args = parser.parse_args(