Matthew Bowden - Fotolia

Chef InSpec 3.0 horns in on Terraform territory

Chef InSpec 3.0 can scan Terraform infrastructure-as-code files for security and compliance gaps, which knocked HashiCorp Sentinel off the evaluation list at Chef customer Pacific Life.

Chef's updated InSpec tool encroaches on HashiCorp's turf and has turned heads in one enterprise IT shop, as it automates its compliance policies alongside infrastructure as code.

Chef InSpec 3.0, rolled out in general availability this week, broadens support to include HashiCorp Terraform infrastructure-as-code file scans. This coverage overlaps with HashiCorp's own Sentinel compliance-as-code tool, which also works with HashiCorp's Consul, Nomad and Vault. The tools can be used alongside one another: Sentinel validates Terraform, Consul, Nomad and Vault policies before any changes are applied, while InSpec can run on a provisioned machine to monitor changes at a lower layer than Terraform.

However, Chef InSpec 3.0 adds similar validation features for Terraform files before users provision infrastructure through the InSpec Generator, which also supports tools beyond the HashiCorp portfolio. This gave the tool a foot in the door at Pacific Life, a financial services company in Newport Beach, Calif.

IT pros in the Pacific Life corporate IT and retirement services divisions already use Chef Server and Terraform, but lean toward Chef InSpec, which they run in lab and test/dev environments, as their future compliance-as-code tool of choice for production.

"We're aware of [Sentinel], but we're also big into [AWS] CloudFormation and [are] just starting to use Terraform," said Benjamin Peterson, cloud architect at Pacific Life. "For a lot of our CloudFormation templates, we're interested in general static code analysis."

Chef InSpec makes compliance code both human- and machine-readable, which is important, as the company transfers compliance policy rules from documents to code, but wants to keep nontechnical business stakeholders involved.

"You can iterate on it pretty easily," said Hans Nesbitt, cloud engineer at Pacific Life. "Instead of having to change a whole document, you can change a couple of lines of code. But everyone still reads it the same way."

Chef InSpec could play a key role as Pacific Life pursues a DevSecOps strategy, but it doesn't completely fill the company's need for security-focused, test-driven development tools.

"InSpec applies more on the functional and system integration testing side versus unit testing for applications," Peterson said. "We want to shift security left, but Chef InSpec takes us only so far left."

Chef checks off InSpec user wish list items, gives roadmap hints

We want to shift security left, but Chef InSpec takes us only so far left.
Benjamin Petersoncloud architect, Pacific Life

Chef InSpec 3.0 overhauls the tool's exception handling, so InSpec scans can skip some controls if compensating measures already are in place. InSpec also can label some failures as acceptable based on the environment's specific compliance priorities. This cuts down on the number of alerts that admins receive for irrelevant issues -- an update high on users' wish lists at ChefConf in May 2018. And it was crucial for the tool to move forward in Pacific Life's evaluation process, Peterson said.

In July 2018, Chef added another customer wish list item for noise reduction: alert deduplication for the Chef InSpec integration with ServiceNow's service desk ticketing system. Automated InSpec updates for the ServiceNow change management database will follow in a future Chef InSpec release, Chef officials said.

Chef also made good on a promise to support users' custom REST APIs with a customizable plugin architecture in version 3.0.

Chef InSpec's Kubernetes and Docker support for container adopters remains in a state analysts called rudimentary in version 2.0, but that's because specific compliance templates based on Center for Internet Security (CIS) controls validated for Kubernetes environments are still in the works.

Similarly, efforts are afoot to correlate compliance regimen-specific controls, such as PCI, COBIT and GDPR, with CIS benchmarks and create starter kits for each of those regulations in Chef Automate's premium content database. Finally, support for detailed exception handling reports is also planned for future versions.

Next Steps

Progress steers Chef InSpec toward CSPM

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center