In the first blog of this series on Chef Compliance and Chef Cloud Security, we looked at the Chef InSpec commands that help you explore, diagnose and manage large profiles.
We reviewed how commands like ‘InSpec Shell
,’ ‘InSpec Detect
’ and ‘InSpec Export
’ help you ‘explore and diagnose’ and manage your compliance scans. We also covered the progress bar reporter and how to divide the profile in custom ways, helping you to manage large profiles easily.
Continuing the conversation in this blog, let's look at how InSpec commands are useful in two other aspects—integration with other systems and working efficiently with InSpec.
Integration with other systems is a major challenge when it comes to DevOps tools. Given the proliferation of a multitude of tools in the DevOps space, practitioners have repeatedly pointed out the importance of integration to create a smooth pipeline for processes.
On the other hand, while performing tasks unhindered is imperative, performing them efficiently is equally important.
Chef InSpec commands assist practitioners in both cases. Let’s find out how.
Integrate with other systems
Multiple output streams
Chef InSpec allows you to use multiple reporters to get several output copies. A ‘reporter’ is a configurable output stream for ’InSpec exec
.’ You can send outputs to multiple destinations and formats simultaneously. InSpec supports multiple reporter formats, including CLI, HTML, JSON and YAML. JSON output is particularly great for machine processing.
In the example below, InSpec generates two output streams for the profile it is executing. First, it sends the output to the command line and writes a file called myreport.html. using the HTML 2 reporter to write a file.
jUnit Reporter
The jUnit 2 reporter generates properly formatted jUnit XML reports. This replaces the deprecated Junit reporter. jUnit files can be consumed by Jenkins and several other CI systems for test tracking.
Using exit codes to detect outcomes
Did you know that InSpec allows you to exit codes to detect outcomes? InSpec exec
exits with distinct codes depending on the test outcome. You can refer to the codes below:
- 0 normal exit; all tests pass
- 100 normal exits, at least one test failed
- 101 normal exits, at least one test skipped, but none failed
You can use these exit codes to detect outcomes and intelligently use them in your CI engines.
How Can You Work More Efficiently with InSpec?
Using Plural resources
A plural resource queries multiple resources of the same type and can query in bulk and then loop over individual resources in detail. It can also be used for something that should not exist.
In the positive assertion example above, the plural resource is used to loop over all AWS S3 buckets and it examines each bucket name individually and checks if default encryption is enabled.
Generate code with InSpec init
This is a great way to use your time effectively. Whenever you need a new profile, just generate it without writing a new profile from scratch; use the command InSpec init profile <profilename>
. You can also generate new resources and plugins with this command.
We hope this series has provided you with insights into the various options that Chef InSpec provides. From helping you to ‘Explore and Diagnose’ to ‘Managing your Profiles’, to easing integration with other systems, Chef InSpec commands help you streamline your compliance and security processes.
Stay tuned for our next blog on controls for cloud resources.
In the next blog in this series, we’ll discuss how you can write controls for cloud resources using InSpec.
Resources
Learn Chef is a great place to know more about Chef InSpec.
Watch the video; I didn’t know Chef InSpec could do that.
Learn more about Chef products.
Whitepaper: Buyer’s Guide for Continuous Compliance Solutions in DevOps