Step Module Reference

Reference documentation for Sophos Factory step modules, the basic building blocks of pipelines.

Anchore CLI

The command line interface for Anchore.

Ansible Playbook

Executes a Red Hat Ansible playbook.

ARM Template

Deploys an Azure Resource Manager template to Microsoft Azure.


Stops pipeline execution with Failed status if the assertion expression evaluates to false.


Executes AWS CLI commands to manage AWS resources.

AWS CloudFormation

Creates a stack from a CloudFormation template on Amazon Web Services (AWS).

Azure CLI

Executes Azure CLI commands.


Executes the Bridgecrew Checkov IaC static code analysis tool. Checkov can scan Terraform, CloudFormation, Kubernetes, and other IaC files for security vulnerabilities and misconfigurations.

CIS-CAT Assessor

Compares the configuration of a target system to CIS Benchmark recommendations and reports conformance on a scale of 0-100

Conditional Gate

Skips execution of all child steps of this step, according to a condition.


Creates a credential dynamically within a pipeline run. This module is useful for importing credentials from external systems, such as key stores, vaults, and CMDBs.

Debug Message

Prints a message to the pipeline run events. Useful for debugging variable values during execution.

Docker Build & Push

Builds a container image and optionally pushes it to a registry using Docker. This module uses the Docker Buildx plugin to enable advanced build scenarios, and automatically authenticates with a Docker registry.

GCP Template

Deploys resources to Google Cloud Platform using Deployment Manager templates.

Git Clone

Clones a git repository onto the runner.

Go Executor

Executes a Go program.

Helm Chart

Deploys a Helm chart to an existing Kubernetes cluster.

Helm CLI

Execute Helm commands using a shell script.

HTTP Request

Sends an HTTP request.

Install Anchore CLI

Installs the Anchore CLI on the runner.

Install Ansible

Installs Red Hat Ansible on the runner.

Install AWS CLI

Installs the AWS CLI executable on the runner.

Install Azure CLI

Installs the Azure CLI executable on the runner.

Install Checkov

Installs the Bridgecrew Checkov CLI on the runner.

Install CIS-CAT

Installs the CIS-CAT Assessor

Install gcloud CLI

Installs the Google gcloud executable on the runner.

Install Go

Installs the Golang runtime on the runner.

Install Helm

Installs the Helm CLI on the runner.

Install Java

Installs the Java executable on the runner.

Install kubectl

Installs the Kubernetes kubectl executable on the runner.

Install Node.js

Installs the Node.js executable on the runner.

Install PowerShell

Installs the PowerShell executable on the runner.

Install Python

Installs the Python executable on the runner.

Install SonarScanner

Installs the SonarScanner CLI on the runner.

Install Terraform

Installs the HashiCorp Terraform executable on the runner.

Install Terrascan

Installs Terrascan on the runner.

Install Trivy

Installs Trivy on the runner.

Install twistcli

Installs twistcli on the runner.

Install Vault CLI

Installs the HashiCorp Vault CLI executable on the runner.

Install ZAProxy

Installs the ZAProxy CLI on the runner.


Modify resources on a Kubernetes cluster using the kubectl CLI.

Node.js Script

Executes a Node.js script.

OpenSCAP Scanner

OpenSCAP is a command line utility for working with the Security Content Automation Protocol (SCAP).


Pauses pipeline execution for a specified duration.

PowerShell Script

Executes a PowerShell script.

Python Script

Executes a Python script.

Resource Group

Creates or deletes a Resource Group on Microsoft Azure.

Set Variables

Adds a set of variables to the current vars context.

Shell Script

Executes a shell script.


SonarScanner performs vulnerability scanning and automated code review on source code, and uploads the results to a SonarQube server for analysis.


Operates on a Terraform project. Can validate, plan, and apply Terraform configurations.


Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code.


Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts.


The command line interface for Prisma Cloud.


Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API.

Write File

Writes content to a file on the runner.