Steampunk Spotter Guide
Steampunk Spotter GuideAll Spotter Commands
Using Spotter is simple. You just need to know a few simple commands to make your Ansible Playbooks spotless. And don’t worry, you can look them up anytime by running s --help in Spotter CLI. Dive in!
To scan
$ spotter scan playbook.ymlCopied! | Perform a simple default scan. |
$ spotter scan path/to/playbookCopied! | Scan a playbook. |
$ spotter scan path/to/taskfile1.yamlCopied! | Scan a taskfile. |
$ spotter scan path/to/roleCopied! | Scan a role. |
$ spotter scan path/to/collectionCopied! | Scan an Ansible Collection. |
$ spotter scan path/to/folderCopied! | Scan any folder that contains Ansible content. |
$ spotter scan path/to/playbook1.yaml path/to/playbook2.yamlCopied! | Scan two playbooks. |
$ spotter scan path/to/role1 path/to/role2Copied! | Scan two roles. |
$ spotter scan path/to/playbook1.yaml path/to/playbook2.yamlCopied! | Scan multiple playbooks at once. |
$ spotter scan path/to/taskfile.yaml path/to/playbook.yaml path/to/role path/to/collectionCopied! | Scan multiple files at once. |
$ spotter scan path/to/playbook/folder/play_*.yamlCopied! | Scan multiple playbooks using glob. |
$
spotter scan playbook.yml
Copied!Perform a simple default scan.
$
spotter scan path/to/playbook
Copied!Scan a playbook.
$
spotter scan path/to/taskfile1.yaml st
Copied!Scan a taskfile.
$
spotter scan path/to/role
Copied!Scan a role.
$
spotter scan path/to/collection
Copied!Scan an Ansible Collection.
$
spotter scan path/to/folder
Copied!Scan any folder that contains Ansible content.
$
spotter scan path/to/playbook1.yaml path/to/playbook2.yaml
Copied!Scan two playbooks.
$
spotter scan path/to/role1 path/to/role2
Copied!Scan two roles.
$
spotter scan path/to/playbook1.yaml path/to/playbook2.yaml
Copied!Scan multiple playbooks at once.
$
spotter scan path/to/taskfile.yaml path/to/playbook.yaml path/to/role path/to/collection
Copied!Scan multiple files at once.
$
spotter scan path/to/playbook/folder/play_*.yaml
Copied!Scan multiple playbooks using glob.
To set scanning profile
$ spotter scan --profile full playbook.ymlCopied! | Set scanning profile to Full to get the full range of check results Spotter offers. |
$ spotter scan --profile security playbook.ymlCopied! | Set scanning profile to Security to execute only security checks. |
$
spotter scan --profile full playbook.yml
Copied!Set scanning profile to Full to get the full range of check results Spotter offers.
$
spotter scan --profile security playbook.yml
Copied!Set scanning profile to Security to execute only security checks.
To set target project
$ spotter scan --project-id <project-id>Copied! | Set project you wish to see your scan results in. |
$
spotter scan --project-id <project-id>
Copied!Set project you wish to see your scan results in.
To skip or enforce checks
$ spotter config set org-config.jsonCopied! | Set basic rules and apply checks across the whole organization by uploading config file including which checks to always enforce and which to skip. |
$ spotter config clearCopied! | Clear current configuration at organization level. |
$ spotter config getCopied! | See the current configuration settings for a specific organization. |
$ spotter scan --skip-checks E1300,E1301,H1302 playbook.ymlCopied! | Skip specific checks at scan level. |
$ spotter scan --enforce-checks W1100,E1101 playbook.ymlCopied! | Enforce specific checks at scan level. |
$ spotter scan --skip-checks H1900[fqcn=sensu.sensu_go.user],W003 playbook.ymlCopied! | Skip or enforce checks for specific Fully Qualified Class Names (FQCNs) or individual check subcodes. |
$
spotter config set org-config.json
Copied!Set basic rules and apply checks across the whole organization by uploading config file including which checks to always enforce and which to skip.
$
spotter config clear
Copied!Clear current configuration at organization level.
$
spotter config get
Copied!See the current configuration settings for a specific organization.
$
spotter scan --skip-checks E1300,E1301,H1302 playbook.yml
Copied!Skip specific checks at scan level.
$
spotter scan --enforce-checks W1100,E1101 playbook.yml
Copied!Enforce specific checks at scan level.
$
spotter scan --skip-checks H1900[fqcn=sensu.sensu_go.user],W003 playbook.yml
Copied!Skip or enforce checks for specific Fully Qualified Class Names (FQCNs) or individual check subcodes.
To automatically fix issues
$ spotter scan --rewrite playbook.ymlCopied! | Automatically fix the issues that Spotter has found. |
$
spotter scan --rewrite playbook.yml
Copied!Automatically fix the issues that Spotter has found.
To include custom policies
$ spotter policies set policy.regoCopied! | Include a single custom policy (check). |
$ spotter policies set PoliciesCopied! | Include a directory of custom policies (checks). |
$ spotter policies set --project-id <project-id> policy.regoCopied! | Set policy for the whole organization. |
$ spotter policies clearCopied! | Clear policies. |
$
spotter policies set policy.rego
Copied!Include a single custom policy (check).
$
spotter policies set Policies
Copied!Include a directory of custom policies (checks).
$
spotter policies set --project-id policy.rego
Copied!Set policy for the whole organization.
$
spotter policies clear
Copied!Clear policies.
To upgrade playbooks
$ spotter scan --profile full --ansible-version 2.15 playbook.ymlCopied! | Check if your playbook is compatible with a specific Ansible version. |
$
spotter scan --profile full --ansible-version 2.15 playbook.yml
Copied!Check if your playbook is compatible with a specific Ansible version.
To customize scanning
$ spotter scan --display-level error playbook.ymlCopied! | Show only ERRORS without hints and warnings in your scan result. |
$ spotter scan --display-level hint playbook.ymlCopied! | Show only HINTS in your scan result. |
$ spotter scan --display-level warning playbook.ymlCopied! | Show only WARRNINGS in your scan result. |
$ spotter scan --format json playbook.yamlCopied! | Change the format of scan results. |
$ spotter scan --no-docs-url playbook.ymlCopied! | Omit links to documentation in scan results. |
$ spotter --no-color scan playbook.ymlCopied! | Disable colorized output. |
$ spotter --storage-path /my/project/.storage scan playbook.ymlCopied! | Set storage folder. |
$ spotter --endpoint “<spotter-api-url>” scan playbook.ymlCopied! | Specify the API endpoint. |
$ spotter scan --sarif report.sarif playbook.yml Copied! | This command facilitates integration with platforms supporting the SARIF format. |
$
spotter scan --display-level error playbook.yml
Copied!Show only ERRORS without hints and warnings in your scan result.
$
spotter scan --display-level hint playbook.yml
Copied!Show only HINTS in your scan result.
$
spotter scan --display-level warning playbook.yml
Copied!Show only WARRNINGS in your scan result.
$
spotter scan --format json playbook.yaml
Copied!Change the format of scan results.
$
spotter scan --no-docs-url playbook.yml
Copied!Omit links to documentation in scan results.
$
spotter --no-color scan playbook.yml
Copied!Disable colorized output.
$
spotter --storage-path /my/project/.storage scan playbook.yml
Copied!Set storage folder.
$
spotter --endpoint "<spotter-api-url>" scan playbook.yml
Copied!Specify the API endpoint.
To control data being shared
$ spotter scan --exclude-values playbook.ymlCopied! | Exclude values (task names, parameter values, and filenames) from your scan. |
$ spotter scan --exclude-metadata playbook.ymlCopied! | Exclude metadata (file names, line numbers, and column numbers) from your scan. |
$ spotter scan --export-payload payload.json playbook.ymlCopied! | See which data is collected from your Ansible content without actually running a scan. |
$ spotter scan --import-payload payload.jsonCopied! | Import the list of data being shared with Spotter. |
$
spotter scan --exclude-values playbook.yml
Copied!Exclude values (task names, parameter values, and filenames) from your scan.
$
spotter scan --exclude-metadata playbook.yml
Copied!Exclude metadata (file names, line numbers, and column numbers) from your scan.
$
spotter scan --export-payload payload.json playbook.yml
Copied!See which data is collected from your Ansible content without actually running a scan.
$
spotter scan --import-payload payload.json
Copied!Import the list of data being shared with Spotter.
Still need help? Contact [email protected]
