Files
prowler/claude_plugins/prowler

Prowler for Claude Code

End-to-end cloud security and compliance from inside Claude Code, powered by the Prowler MCP server. The plugin lets Claude walk a Prowler Cloud-connected account through a compliance assessment and remediate findings until the chosen security or industry framework is compliant.

Preview: this plugin is under active development. Report issues at https://github.com/prowler-cloud/prowler/issues or join the Slack community.

Requirements

Installation

Inside a Claude Code session:

/plugin marketplace add prowler-cloud/prowler
/plugin install prowler@prowler-plugins

Or, if you already have the repo checked out locally:

/plugin marketplace add /absolute/path/to/prowler
/plugin install prowler@prowler-plugins

Configuration

On first install, Claude Code prompts for your Prowler API key. It is stored securely (macOS keychain or ~/.claude/.credentials.json) and used to authenticate against Prowler Cloud.

To rotate the key, uninstall and reinstall the plugin — Claude Code will prompt again.

Verify the install

In a Claude Code session:

/mcp          → "prowler" appears as a connected server
/plugin       → "prowler" enabled, skill listed as prowler:framework-compliance-triage

If /mcp reports the prowler server as failed, the most common cause is a rejected API key — re-issue one in Prowler Cloud and reinstall the plugin so it re-prompts.

Usage

Open a conversation that mentions the framework you want to comply with. Examples:

  • "Make my AWS production account compliant with CIS 4.0."
  • "Make my current Terraform project compliant with the Prowler ThreatScore Compliance Framework based on the latest scan results."
  • "Help me get to 100% on PCI-DSS for this GCP project."

You pick a primary tool (Terraform, gh / az / aws CLI, web console, or mixed) and a mode:

  • Claude-assisted (default). Claude shows each fix — target resource, exact commands, side effects, reversibility — and waits for your go-ahead before applying.
  • Claude autonomous. Claude presents a single up-front plan grouped by shared fixes, waits for one confirmation, then proceeds. It pauses mid-loop if a fix has wide blast radius or a finding is not applicable.

Claude tracks progress in a markdown report under .prowler/ at your project root — one file per framework × account. Open it any time to see exactly where the flow is. When all findings are addressed, Claude proposes a fresh Prowler scan to verify everything end-to-end.

Uninstalling

/plugin uninstall prowler@prowler-plugins
/plugin marketplace remove prowler-plugins

The stored API key is removed automatically.

Troubleshooting

Symptom Likely cause Fix
/mcp shows prowler as failed Rejected API key Generate a new one in Prowler Cloud and reinstall the plugin to re-prompt.
Skill not invoked when expected The skill description didn't match the prompt Mention the framework name plus "compliance" or "compliant" in your prompt.
"Framework not supported" Prowler Hub does not list the framework for that provider Open an issue or PR at https://github.com/prowler-cloud/prowler.

License

Apache 2.0 — see LICENSE.