Prowler for Claude Code
End-to-end cloud security and compliance from inside Claude Code, powered by the Prowler MCP server. The plugin lets Claude walk a Prowler Cloud-connected account through a compliance assessment and remediate findings until the chosen security or industry framework is compliant.
Preview: this plugin is under active development. Report issues at https://github.com/prowler-cloud/prowler/issues or join the Slack community.
Requirements
- Claude Code installed and signed in.
- A Prowler Cloud account (the free tier is enough to start).
- A Prowler API key — create one at https://cloud.prowler.com/profile.
Installation
Inside a Claude Code session:
/plugin marketplace add prowler-cloud/prowler
/plugin install prowler@prowler-plugins
Or, if you already have the repo checked out locally:
/plugin marketplace add /absolute/path/to/prowler
/plugin install prowler@prowler-plugins
Configuration
On first install, Claude Code prompts for your Prowler API key. It is stored securely (macOS keychain or ~/.claude/.credentials.json) and used to authenticate against Prowler Cloud.
To rotate the key, uninstall and reinstall the plugin — Claude Code will prompt again.
Verify the install
In a Claude Code session:
/mcp → "prowler" appears as a connected server
/plugin → "prowler" enabled, skill listed as prowler:framework-compliance-triage
If /mcp reports the prowler server as failed, the most common cause is a rejected API key — re-issue one in Prowler Cloud and reinstall the plugin so it re-prompts.
Usage
Open a conversation that mentions the framework you want to comply with. Examples:
- "Make my AWS production account compliant with CIS 4.0."
- "Make my current Terraform project compliant with the Prowler ThreatScore Compliance Framework based on the latest scan results."
- "Help me get to 100% on PCI-DSS for this GCP project."
You pick a primary tool (Terraform, gh / az / aws CLI, web console, or mixed) and a mode:
- Claude-assisted (default). Claude shows each fix — target resource, exact commands, side effects, reversibility — and waits for your go-ahead before applying.
- Claude autonomous. Claude presents a single up-front plan grouped by shared fixes, waits for one confirmation, then proceeds. It pauses mid-loop if a fix has wide blast radius or a finding is not applicable.
Claude tracks progress in a markdown report under .prowler/ at your project root — one file per framework × account. Open it any time to see exactly where the flow is. When all findings are addressed, Claude proposes a fresh Prowler scan to verify everything end-to-end.
Uninstalling
/plugin uninstall prowler@prowler-plugins
/plugin marketplace remove prowler-plugins
The stored API key is removed automatically.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
/mcp shows prowler as failed |
Rejected API key | Generate a new one in Prowler Cloud and reinstall the plugin to re-prompt. |
| Skill not invoked when expected | The skill description didn't match the prompt | Mention the framework name plus "compliance" or "compliant" in your prompt. |
| "Framework not supported" | Prowler Hub does not list the framework for that provider | Open an issue or PR at https://github.com/prowler-cloud/prowler. |
License
Apache 2.0 — see LICENSE.