Chef InSpec widens the compliance-as-code possibilities with v2.0

Chef InSpec 2.0 adds infrastructure tests for compliance policy enforcement, and the tool's expansion into more areas of the DevOps workflow won't stop there.

An update to Chef's InSpec compliance-as-code tool presents a wider view of cloud and data center infrastructures to IT pros, but also pits Chef against more competitors in an already noisy DevOps market.

InSpec was the first compliance-as-code tool to be marketed to enterprises, but it faces much more competition as big companies adopt containers and DevSecOps emerges. Docker offers container image scanning for security policy enforcement, and there are a number of other container-specific policy enforcement tools such as Tenable's FlawCheck. HashiCorp's Sentinel also supports policy-as-code inspection for container infrastructures. A company acquired by VMware this month, CloudCoreo, has a head start in the cloud infrastructure security enforcement field. And future InSpec features that inspect customers' APIs will compete with API gateway tools, though Chef officials said InSpec will identify API misconfigurations in addition to vulnerabilities to common attacks, such as SQL injection, that existing API gateway tools target.

Chef InSpec is broader in scope than most competitors, since it supports VMs, as well as containers, and can be applied to more kinds of environments than Sentinel, which is primarily focused on infrastructure-as-code configurations in HashiCorp's Terraform tool. Existing Chef customers have taken interest in InSpec among the company's refreshed products that were rolled out with the Chef Automate suite two years ago. InSpec was the first of these products to integrate with the Chef Automate umbrella tool and had the strongest appeal to attendees at last year's ChefConf.

Chef InSpec 2.0, released this week, can test public cloud VM and container infrastructure to ensure that machine configurations are in line with regulatory compliance rules and organizational security policies. Chef InSpec previously focused on OS and application configuration tests, but InSpec 2.0 supports container inspection through integration with Docker, and future versions will add support for container orchestration tools, such as Kubernetes.

Gary Chen, analyst, IDCGary Chen

Without integration with container orchestration tools, Docker inspection is fairly rudimentary in this version, said Gary Chen, an analyst at IDC.

"They're at the beginning stages of doing this, with insight into the container image," Chen said.

Initially, the tool adds infrastructure-level tests on AWS and Microsoft Azure public clouds, but what's really changed in version 2.0 is its ability to inspect the APIs on which cloud infrastructure is based. This advancement will yield compliance-as-code support for users' internal application APIs in the future, company officials said.

Chef InSpec roadmap looks to boost DevOps cachet

Configuration management tools have gone from something that was seen as strategic to more of a practical, tactical tool.
Gary Chenanalyst, IDC

The popularity of containers and container orchestration tools that include automated configuration management features has put Configuration management specialists such as Chef and Puppet on the defensive. Chef responded to this pressure with Chef Automate, which broadens Chef's platform for infrastructure and application automation. Puppet, in turn, acquired DevOps pipeline software startup Distelli in 2017. Red Hat has taken a different tack with its configuration management subsidiary, Ansible, which has been broadly integrated into other Red Hat products but isn't the primary focus of the company's infrastructure and container management strategy.

"Red Hat has taken a different approach with Ansible -- they've integrated it into all their other products, but by itself, as a platform, it may be less appealing," Chen said.

Meanwhile, vendors such as Chef and Puppet have yet to reestablish their appeal among DevOps shops to match the cachet they had when infrastructure automation centered on virtual machines. InSpec in particular must add deeper integrations into CI/CD tools to boost its appeal to DevOps teams, Chen said. Users can export Chef compliance-as-code tests to CI/CD pipeline tool Jenkins, and Jenkins can kick off InSpec tests with a Chef Test Kitchen integration, but support for CI/CD tools and workflows is otherwise lagging, in his view.

"The problem is that configuration management tools have gone from something that was seen as strategic to more of a practical, tactical tool," Chen said. Chef's plan is to expand its software to become a platform with broader applicability in user environments, but it still faces an uphill battle with that strategy.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center