Package: Invicti AppSec Enterprise (on-premise, on-demand)
Prowler CSPM Integration
Prowler is an open-source cloud security tool that performs security assessments, audits, and compliance checks across AWS, GCP, and Azure environments. In Invicti AppSec, the Prowler integration connects to your cloud accounts to import security findings into your projects.
Prerequisites
Prowler supports multi-cloud configurations. Enable the cloud providers you want to scan and provide the corresponding credentials:
AWS
| Field | Description |
|---|---|
| Access Key | AWS IAM Access Key ID |
| Secret Key | AWS IAM Secret Access Key |
| Region | AWS region to scan (e.g., us-east-1) |
GCP
| Field | Description |
|---|---|
| Credentials File | GCP service account credentials file (.json or .pem) |
Azure
| Field | Description |
|---|---|
| Client ID | Azure Active Directory Application (Client) ID |
| Client Secret | Azure Active Directory Client Secret |
| Tenant ID | Azure Active Directory Tenant ID |
Get Credentials (on Cloud Provider Side)
AWS:
- In the AWS console, go to IAM > Users.
- Create a dedicated IAM user for Invicti AppSec.
- Attach a policy with read permissions for the services Prowler checks (e.g.,
SecurityAudit,ReadOnlyAccess). - Under Security credentials, create an Access Key. Copy the Access Key ID and Secret Access Key.
GCP:
- In the Google Cloud console, go to IAM & Admin > Service Accounts.
- Create a service account with the Security Reviewer role.
- Click Keys > Add Key > Create new key (JSON format).
- Download the credentials file.
Azure:
- In the Azure portal, go to Azure Active Directory > App registrations.
- Register a new application.
- Assign the Reader role at the subscription or management group level.
- Under Certificates & secrets, create a new client secret. Note the Client ID, Client Secret, and Tenant ID.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CSPM Tab
On the Integrations > Scanners page, click on the CSPM tab.
Step 3: Find and Activate Prowler
Scroll through the list of CSPM scanners to find Prowler.
- If Prowler is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Prowler card to open the settings panel.
Enable the toggle for each cloud provider you want to scan, then fill in the corresponding fields:
GCP (toggle to enable):
| Field | Description | Required |
|---|---|---|
| File | GCP service account credentials file (.json or .pem) | Yes (if GCP enabled) |
AWS (toggle to enable):
| Field | Description | Required |
|---|---|---|
| Access Key | AWS IAM Access Key ID | Yes (if AWS enabled) |
| Secret Key | AWS IAM Secret Access Key | Yes (if AWS enabled) |
| Region | AWS region to scan | Yes (if AWS enabled) |
Azure (toggle to enable):
| Field | Description | Required |
|---|---|---|
| Client ID | Azure AD Application Client ID | Yes (if Azure enabled) |
| Client Secret | Azure AD Client Secret | Yes (if Azure enabled) |
| Tenant ID | Azure AD Tenant ID | Yes (if Azure enabled) |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the configured cloud providers.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CSPM tab |
| 3 | Activate Prowler |
| 4 | Enable cloud providers and enter credentials |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Prowler Scanner
- Select CSPM as the scanner type.
- Choose Prowler from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Associate the scan with a feature environment | No |
| Branch | The branch to associate cloud findings with | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Cloud Filter | Filter imported findings by Region, Platform, Asset Name, Severity, or Subscription ID | No |
-
Invicti AppSec automatically syncs Prowler vulnerabilities on a daily basis — no manual trigger is required after the initial scan is configured.
-
Cloud Filter lets you narrow which findings are imported into this project. You can filter by Region, Cloud Platform (AWS, GCP, Azure), Asset Name, Severity, and Subscription ID. If no filter is set, all findings from the configured cloud providers are imported.
Scheduler
Enable the Scheduler toggle to automatically re-run the Prowler scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t prowler -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| AWS credentials rejected | Verify the Access Key ID and Secret Access Key in the AWS IAM console. Ensure the IAM user has the required read permissions. |
| GCP credentials file invalid | Confirm the uploaded file is a valid GCP service account JSON key. Ensure the service account has the Security Reviewer role. |
| Azure authentication failed | Verify the Client ID, Client Secret, and Tenant ID in the Azure portal. Confirm the app registration has the Reader role assigned. |
| No cloud provider enabled | At least one cloud provider (GCP, AWS, or Azure) must be enabled and configured for the connection to succeed. |
Scan Issues
| Issue | Resolution |
|---|---|
| No findings imported | Verify that Prowler has access to your cloud resources. Check the Cloud Filter — overly restrictive filters may exclude all findings. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use dedicated service accounts and IAM users for Invicti AppSec with read-only or security audit permissions — avoid using admin credentials.
- Enable only the cloud providers your project actually uses to reduce the scope of findings.
- Use Cloud Filters to associate each project with the specific regions, platforms, or subscription IDs it covers.
- Rotate credentials periodically and update the integration settings in Invicti AppSec accordingly.
- Use the Scheduler to keep findings aligned with your Prowler assessment cadence.
Limitations
- Prowler CSPM in Invicti AppSec imports findings from Prowler security assessments — it does not trigger new Prowler scans on demand.
- Only cloud resources accessible via the provided credentials are assessed.
- Vulnerability sync occurs daily automatically; manual on-demand sync is not supported outside of scheduled scans.
- At least one cloud provider (GCP, AWS, or Azure) must be configured for the integration to function.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center