Inspec profile usage questions


#1

The documentation mentions that I can refer to inspec profiles in supermarket as well as depend on inspec profiles in another inspec profile. I have a few questions that I don’t see answers to in the docs:

  • How do I upload an profile to a private (or public) supermarket?
  • When depending on a git/github inspec profile, where is that profile assumed to be? Just sitting at the top level?
  • When specifying supermarket profiles in test-kitchen, I think it says that is to include a profile from a cookbook on the supermarket. How does it find that?
  • Same question for specifying a git/github profile in test-kitchen. How does it know where it is in the repo?

#2

Thanks for your feedback Mark.

  • Profiles go under the Tools section of the Supermarket. I’ve added a profile recently by going to: VIEW PROFILE > Tools & Plugins > Add Tool > Type: Compliance Profile

  • Right now, profiles are expected to be in the root of the git repo. I’ve opended a feature request for multiple profiles in a repo. Would be great to hear your use-case.

  • This is how you can reference a public supermarket and github profile in test-kitchen(when using the inspec verifier). It’s a single profile per URL:

    verifier:
      inspec_tests:
        - supermarket://hardening/ssh-hardening
        - https://github.com/dev-sec/tests-ssh-hardening

We have a ticket to harmonize how we specify profile locations across inspec, kitchen-inspec and audit cookbook.

Please +1 the tickets I referenced to get updates.

Cheers,
Alex


#3

Thanks for the response. I’ll mirror your bullet points :slight_smile:

  • OK. We never log into our supermarket web UI, though. Is there a knife command?
  • Does this mean that I need a dedicated repo per inspec profile or that I can leave an inspec profile laying in the root level of a cookbook repo? Here’s my use case, as I envisioned this would work :slight_smile:
    • I want to create an inspec profile per use-case of a cookbook. Perhaps I have a cookbook that is used by running the default recipe that includes recipes foo and bar. I would create a default inspec profile in that repo in a test/ (or inspec or whatever) directory.
    • This cookbook also has a cookbook baz that is used by itself sometimes also. I would create a baz inspec profile, also under the test directory that can be used for testing just the baz recipe.
    • My .kitchen.yml would have a suite for both default that runs the default inspec profile and baz that runs the baz inspec profile.
    • I would like to be able to reference these profiles in dependent cookbooks.
  • Does that supermarket URL reference a “raw” profile in supermarket? It seemed from the docs or tutorial that I could use a supermarket URL to reference a profile in a cookbook.

Thanks.


#4

We struggled with the same thing - shared tests, as that is the only real thing you start missing when you switch from serverspec to inspec (well and also audit mode). In interacting with Chef support around this issue we discovered that there currently is no knife command and it doesn’t work with enterprise Github, private repos or repos that require ssh keys. The inspec folks are working on a new specification on this as Irving points around this.

Instead we ended up setting up a compliance server for this purpose, as it has a cli for publishing profiles via “inspec compliance upload”. I set up a system to be able to spin up compliance servers on demand and publish on source change for sharing. However I would have preferred to do this all through the supermarket, as now I have to manage another server and publish to another place for a similar function.

We put up with needing dedicated repos for the shared tests - our devs didn’t like that as they were used to having shared tests in their cookbook repos with serverspec/audit mode. It was an easy sell though because inspec is so much faster and has so much more functionality.

We’ve discovered that having a compliance server is the best way right now, as not only do we get shared tests but it is also a supported scenario by the audit cookbook https://github.com/chef-cookbooks/audit - so we have everything we had before with serverspec/audit mode - it’s just a lot faster now.

+1 to supporting this use case via the supermarket though, as it was a tough sell at first to justify why we needed so many different servers just to do the same thing we did before with just one server.


#5

The compliance server sounds like a good option if you have Chef Automate - we currently do not.

It sounds like for now the best option seems to be for me to make an org on our github instance for inspec and create a repo for each inspec profile that we create. Then, each release comes with link for a tar.gz of the release that we can put into kitchen.yml’s.