Skip to content

Add Prowler cloud security scanner appliance #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pablodelarco wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add Prowler cloud security scanner appliance #99

pablodelarco wants to merge 5 commits into from

Conversation

@pablodelarco
Copy link
Contributor

@pablodelarco pablodelarco commented Dec 19, 2025
edited
Loading

Appliance

New appliance submission for Prowler cloud security scanner appliance.

Appliance Name

:app: prowlercloud

Type of Contribution

  • New Appliance
  • Update to an Existing Appliance

Description of Changes

This PR adds a new Prowler cloud security scanner appliance running on Ubuntu 24.04 to the OpenNebula Community Marketplace.

Prowler is the world's most widely used open-source cloud security platform that automates security and compliance across any cloud environment. This appliance provides:

  • Complete Prowler CLI deployment with Docker
  • 500+ security checks across AWS, Azure, GCP, and Kubernetes
  • Compliance frameworks: CIS, NIST, PCI-DSS, GDPR, HIPAA, SOC2
  • Multi-cloud security assessments
  • Security reports and dashboards
  • VNC access for direct console interaction
  • SSH key authentication from OpenNebula context variables

Technical Implementation:

  • Ubuntu 24.04 base system with Docker Engine pre-installed
  • Prowler container (prowlercloud/prowler:latest-amd64) pre-pulled and ready to run
  • Automatic container startup via OpenNebula contextualization
  • 16GB disk size to accommodate the large Docker image (~5GB)
  • Ports 3000 and 8080 exposed for web interfaces

Access Methods:

  • SSH: ssh root@<VM_IP>
  • Prowler CLI: docker exec prowler poetry run prowler <provider>
  • VNC: Direct access via OpenNebula Sunstone

Contributor Checklist

  • The submission follows the Contribution Guidelines
  • My submission is based on the latest version of the master branch
  • For a new appliance, this Pull Request follows the agreed naming convention (lowercase with hyphen: prowlercloud)
  • Complete Packer build structure included
  • All necessary context scripts and configuration files included

Publisher Information

  • Publisher: Pablo del Arco
  • Email: [email protected]
  • Version: 1.0.0-1
  • Docker Image: prowlercloud/prowler:latest-amd64
  • Base OS: Ubuntu 24.04

Testing & Validation

  • ✅ Tested with OpenNebula 7.0 and KVM hypervisor
  • ✅ Image builds successfully with Packer
  • ✅ Docker image pre-pulled during build
  • ✅ VNC and SSH access verified
  • ✅ Prowler container starts automatically on boot
  • ✅ Prowler 5.17.0 verified working
  • ✅ CLI commands functional (poetry run prowler --version)

Files Added

Appliance Files:

  • appliances/prowlercloud/appliance.sh - Main appliance script with Docker container management
  • appliances/prowlercloud/metadata.yaml - Appliance metadata
  • appliances/prowlercloud/README.md - Documentation
  • appliances/prowlercloud/CHANGELOG.md - Version history
  • appliances/prowlercloud/context.yaml - Context configuration
  • appliances/prowlercloud/tests.yaml - Test configuration
  • appliances/prowlercloud/tests/00-prowlercloud_basic.rb - Basic functionality tests
  • appliances/prowlercloud/71e1342f-45ce-40f1-849d-0bb600f3521a.yaml - Appliance configuration

Packer Build Files:

  • apps-code/community-apps/packer/prowlercloud/prowlercloud.pkr.hcl - Main Packer configuration
  • apps-code/community-apps/packer/prowlercloud/variables.pkr.hcl - Build variables
  • apps-code/community-apps/packer/prowlercloud/common.pkr.hcl - Common configuration (symlink)
  • apps-code/community-apps/packer/prowlercloud/gen_context - Context generation script
  • apps-code/community-apps/packer/prowlercloud/81-configure-ssh.sh - SSH configuration
  • apps-code/community-apps/packer/prowlercloud/82-configure-context.sh - Context configuration
  • apps-code/community-apps/packer/prowlercloud/postprocess.sh - Post-processing script

Other Files:

  • logos/prowlercloud.png - Official Prowler logo
  • docs/automatic-appliance-tutorial/prowlercloud.env - Wizard environment file

Usage

After deploying the appliance, SSH into the VM and configure cloud credentials to run security scans:

# For AWS scanning
docker exec prowler poetry run prowler aws

# For Azure scanning
docker exec prowler poetry run prowler azure

# For GCP scanning
docker exec prowler poetry run prowler gcp

# For Kubernetes scanning
docker exec prowler poetry run prowler kubernetes

feat(appliance): Add Prowler cloud security scanner appliance
3b85e1f 
- Add Prowler appliance based on prowlercloud/prowler:latest-amd64
- Uses Ubuntu 24.04 as base OS with Docker
- Includes Packer configuration with 16GB disk size
- Add Prowler logo for marketplace display
- Cloud security platform for AWS, Azure, GCP, Kubernetes compliance scanning
@pablodelarco pablodelarco changed the title feat(appliance): Add Prowler cloud security scanner appliance Add Prowler cloud security scanner appliance Dec 19, 2025
OpenNebula Community Contributor added 2 commits December 19, 2025 11:05
fix: Remove trailing space in context.yaml
20a84b7
fix: Override Prowler entrypoint to prevent restart loop
e2b7138 
Prowler's default entrypoint runs 'prowler aws' which fails without
credentials, causing a restart loop. Override it to keep the container
running with sleep infinity, allowing users to exec into it and run
scans manually.
feat(appliance): Add Prowler Security Platform full deployment
cdfaa13 
Add complete Prowler cloud security platform appliance with:
- 8-container Docker Compose deployment
- Web UI (Next.js) on port 3000
- REST API (Django) on port 8080
- PostgreSQL 16, Valkey, Neo4j databases
- Celery workers for background scanning
- MCP server for AI integrations
- Auto-generated secure passwords
- VNC and SSH access with autologin
- Helper commands: prowler-status, prowler-logs, prowler-restart

Supports multi-cloud security assessments:
- AWS, Azure, GCP, Kubernetes
- 500+ security checks
- CIS, NIST, PCI-DSS, HIPAA, GDPR compliance

Based on Ubuntu 24.04 LTS with Docker Engine.
Includes gawk fallback for SSH configuration on minimal images.
@pablodelarco pablodelarco force-pushed the feature/add-appliance-prowler branch from 0240638 to cdfaa13 Compare January 18, 2026 21:38
@roamingengineer311 roamingengineer311 removed the request for review from ArnauGabrielAtienza January 21, 2026 17:09
@roamingengineer311 roamingengineer311 self-assigned this Jan 22, 2026
@roamingengineer311
Copy link
Collaborator

roamingengineer311 commented Jan 26, 2026

@pablodelarco
Pls update Makefile.config and add prowlercloud to the list of services

@roamingengineer311
Copy link
Collaborator

roamingengineer311 commented Jan 26, 2026

There are actually two appliances

├── prowler
│   ├── appliance.sh
│   ├── CHANGELOG.md
│   ├── context.yaml
│   ├── e77532ae-f945-4113-8800-df01bbebd727.yaml
│   ├── metadata.yaml
│   ├── README.md
│   ├── tests
│   │   └── 00-prowler_basic.rb
│   └── tests.yaml
├── prowlercloud
│   ├── 71e1342f-45ce-40f1-849d-0bb600f3521a.yaml
│   ├── appliance.sh
│   ├── CHANGELOG.md
│   ├── context.yaml
│   ├── metadata.yaml
│   ├── README.md
│   ├── tests
│   │   └── 00-prowlercloud_basic.rb
│   └── tests.yaml

which one should be included in this PR?

@roamingengineer311
Copy link
Collaborator

roamingengineer311 commented Jan 26, 2026

I've built prowler appliance but somehow it doesn't boot
image

RBSpec tests are also failing

./app_readiness.rb prowler prowler.qcow2
Appliance Certification
"Waited 180.136425887"
  docker is installed (FAILED - 1)
  docker service is running (FAILED - 2)
  docker compose is installed (FAILED - 3)
  prowler data directory exists (FAILED - 4)
  docker-compose.yml is configured (FAILED - 5)
  environment file is configured (FAILED - 6)
  prowler containers are running (FAILED - 7)
  neo4j is healthy (FAILED - 8)
  mcp server is healthy (FAILED - 9)
  prowler API is responding (FAILED - 10)
  prowler UI is responding (FAILED - 11)
  check oneapps motd (FAILED - 12)
  helper commands exist (FAILED - 13)
  
An error occurred in an `after(:context)` hook.
Failure/Error: @info[:vm].terminate_hard

NoMethodError:
  undefined method `terminate_hard' for nil:NilClass
# ./app_handler.rb:46:in `block (2 levels) in <top (required)>'

Failures:

  1) Appliance Certification docker is installed
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  2) Appliance Certification docker service is running
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  3) Appliance Certification docker compose is installed
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  4) Appliance Certification prowler data directory exists
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  5) Appliance Certification docker-compose.yml is configured
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  6) Appliance Certification environment file is configured
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  7) Appliance Certification prowler containers are running
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  8) Appliance Certification neo4j is healthy
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  9) Appliance Certification mcp server is healthy
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       reached timeout, last state was false CLITester::VM(253) while expected true
     # ./clitester/CLITester.rb:328:in `wait_loop'
     # ./clitester/VM.rb:129:in `reachable?'
     # ./clitester/VM.rb:57:in `deploy'
     # ./clitester/VM.rb:35:in `instantiate'
     # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  10) Appliance Certification prowler API is responding
      Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
        reached timeout, last state was false CLITester::VM(253) while expected true
      # ./clitester/CLITester.rb:328:in `wait_loop'
      # ./clitester/VM.rb:129:in `reachable?'
      # ./clitester/VM.rb:57:in `deploy'
      # ./clitester/VM.rb:35:in `instantiate'
      # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  11) Appliance Certification prowler UI is responding
      Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
        reached timeout, last state was false CLITester::VM(253) while expected true
      # ./clitester/CLITester.rb:328:in `wait_loop'
      # ./clitester/VM.rb:129:in `reachable?'
      # ./clitester/VM.rb:57:in `deploy'
      # ./clitester/VM.rb:35:in `instantiate'
      # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  12) Appliance Certification check oneapps motd
      Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
        reached timeout, last state was false CLITester::VM(253) while expected true
      # ./clitester/CLITester.rb:328:in `wait_loop'
      # ./clitester/VM.rb:129:in `reachable?'
      # ./clitester/VM.rb:57:in `deploy'
      # ./clitester/VM.rb:35:in `instantiate'
      # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

  13) Appliance Certification helper commands exist
      Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
        reached timeout, last state was false CLITester::VM(253) while expected true
      # ./clitester/CLITester.rb:328:in `wait_loop'
      # ./clitester/VM.rb:129:in `reachable?'
      # ./clitester/VM.rb:57:in `deploy'
      # ./clitester/VM.rb:35:in `instantiate'
      # ./app_handler.rb:40:in `block (2 levels) in <top (required)>'

Finished in 3 minutes 18.3 seconds (files took 1.18 seconds to load)
13 examples, 13 failures, 1 error occurred outside of examples

@pablodelarco pablodelarco force-pushed the feature/add-appliance-prowler branch 2 times, most recently from 3f75ad6 to cdfaa13 Compare January 28, 2026 12:18
@pablodelarco
fix(appliance): Remove prowlercloud, keep only prowler
0fff94d 
- Remove lightweight prowlercloud CLI appliance
- Keep full prowler platform with UI, API, database, workers
- Add prowler and nextcloud-aio to SERVICES list in Makefile.config
@pablodelarco pablodelarco force-pushed the feature/add-appliance-prowler branch from 76a6178 to 0fff94d Compare January 28, 2026 12:20
@pablodelarco
Copy link
Contributor Author

pablodelarco commented Jan 28, 2026

Hi @roamingengineer311,

Fixed the first two items:

  • Added prowler to SERVICES (and synced nextcloud-aio)
  • Removed prowlercloud, keeping only the full platform

About the boot failure: the tests show the VM never becomes reachable via SSH, so it seems like a build/image issue rather than the appliance scripts. A few questions:

  • Was the base image ubuntu2404min.qcow2 available when you ran packer?
  • Were the one-apps scripts present at ../one-apps/appliances/?
  • Any chance you could share the packer build logs?

Happy to help debug once I know more about the build environment.

@roamingengineer311
Copy link
Collaborator

roamingengineer311 commented Jan 28, 2026

prowler.log
@pablodelarco logs attached

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roamingengineer311 roamingengineer311 Awaiting requested review from roamingengineer311

At least 1 approving review is required to merge this pull request.

Assignees

@roamingengineer311 roamingengineer311

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pablodelarco @roamingengineer311