Software is all about evolution, adaptation and development. At Progress Chef, we constantly strive towards innovation, growth, scale and, more importantly, enabling our customers with the product features they need.
As part of our continuous efforts to enhance our products, the Chef team introduces to you the latest version of its principal compliance engine – Progress® Chef® InSpec® 6.
Based on customer feedback, we have made some important updates to Chef InSpec, along with some meaningful changes to the way we deliver Chef Compliance and Chef Cloud Security products.
This blog explains the new features and updates that we have made to Chef InSpec and how they impact our customers and the Chef open-source user community.
InSpec Parallel for quicker and more efficient compliance audits
Chef InSpec 6 consists of an exciting new feature called “InSpec Parallel,” which enables you to simultaneously run multiple compliance and security audit checks on multiple targets (local or remote). With InSpec Parallel, your teams can accelerate the scanning process, enabling you to take remediation steps quickly and efficiently.
For instance, enterprises with hybrid infrastructure ecosystems consisting of on-premises and multi-cloud environments can run scans simultaneously on Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP). This results in a multifold increase in the speed at which the scans are performed, saving both time and cost for the user.
Increased scanning speed reduces the time to identify misconfiguration risks, enabling you to scale and make speedy investment decisions while reducing operational costs. There is, of course, the added benefit of a faster time to market.
Signed Profiles for Enhanced Security
We have also introduced the concept of signed InSpec profiles. A signed profile, or .iaf file, is an InSpec profile with a digital signature that attests to its authenticity. A signed profile is checked for validity before being executed, and if it cannot be verified, then InSpec would exit and not run the scan. With InSpec 6, customers can take advantage of the signed profiles feature, make it as mandatory to sign the profiles , preventing malicious profiles being run and thereby enhancing the overall security posture. Learn more about signed profiles here
Upgrade to InSpec 6 to address the recent Chef CVE
As you may be aware, we recently announced a CVE in Chef InSpec which identifies that the policy file code is executed as part of the InSpec archive, check and export commands. This is unexpected behavior based on the command names and allows a profile that includes certain malicious commands in the profile header (Ruby) to be executed locally. We have provided fixes and guidance in a timely manner through our commitment to responsible disclosure. However, if you haven’t upgraded InSpec deployments to the latest version, we strongly encourage you to upgrade to InSpec 6. By upgrading to InSpec 6, you can be assured that you have hardened your environment against this vulnerability. The nature of the InSpec vulnerability requires special attention to your SDLC process and how you test and approve Chef content, including InSpec profiles. To help guide your people and process efforts, please review our best practices summary guide.
Our Product roadmap
In addition to InSpec Parallel, and Signed Profiles , Chef InSpec will include many other exciting features in the subsequent releases. We have created a robust product roadmap for Chef InSpec, which is based on the feedback that we received from our customer community.
It includes features like ‘InSpec Suggest,’ which recommends Chef profiles based on your existing infrastructure. ‘Compliance Attestation’ is another interesting feature in the offing that enables attestations for checks that require manual/offline audits allowing auditors to provide a comprehensive and complete compliance audit.
Standardizing Tiers of Licensing
To obtain more visibility into our product usage, identify users and ensure that customers can use our services easily, we are offering multiple licensing tiers for Chef InSpec. We envision implementing the same approach across all Chef products in the future.
Being a pioneer in the DevOps space, Chef has always enjoyed huge popularity amongst its community. We are, therefore, not surprised by the volume of downloads over the years across different channels. However, we do understand that there is a lack of clarity amongst our customers as to which license is appropriate for their business. We hope that standardizing the licensing tiers will enable customers to match the appropriate licensing tiers to their specific use case.
With licensing tiers, we aim to provide enhanced value and continued support to our users, enabling them to use Chef InSpec in a way that best suits their unique requirements.
With InSpec 6, we are standardizing three licensing tiers: Free, Trial and Commercial.
The free tier is available for non-commercial use on limited targets, while the trial tier gives full access to InSpec 6 for a limited time period.
What do our commercial customers need to know?
Being a valued Chef commercial customer, you will be entitled to all the features and benefits that come with the subscription you purchased.
The requirements to access the latest version of Chef InSpec are:
- A license key will be required to access the latest version of Chef Compliance and Chef Cloud Security.
- You can find your existing license key on the customer support portal.
What does our open-source community need to know?
Please note Chef InSpec code will continue to be committed to the GitHub repositories, as before.
1. The EULA terms are not modified from InSpec 5.x and continue to be the same as before.
2. Commercially distributed executables will need a license key in addition to accepting the terms and conditions of EULA.
3. With this release of Chef InSpec 6, commercially distributed executables will be available with the standardized tiers (Free and Trial) along with the existing Commercial tier.
4. Users can apply one of the three licensing tiers upon downloading and executing a commercially distributed version of InSpec.
5. A license key will not be required if users are either:
- Building their own downstream version or
- Using the CINC Auditor distribution
How to get started with Chef InSpec 6?
Chef InSpec 6 access and the license key integration process are designed to reduce disruption during updates. Follow the below steps to get started:
- Download Chef InSpec 6.
- Accept the terms of the Chef End User License when you run the upgraded Chef software for the first time. (Same as the current process).
- If you are a free-tier user, your license key will be sent to you via email.
- If you are a commercial user, please access your license key on the customer support portal.
- Once you enter the license key, you can access features and functionalities based on the licensing tier you have opted for.
Please follow the instructions here to activate your license key and start using Chef InSpec 6. You can also automate license entry by adding a valid license key in the ENV variable. You may also refer to the FAQ for further clarifications.
How does this release impact our new customers?
Download and start using Chef InSpec 6 via downloads.chef.io
Please follow the instructions below to start using the free /trial version of Chef InSpec 6.
- Go to https://www.chef.io/downloads.
- Click on the ‘Contact Us’ button and provide the requested details in the form.
- Select ‘Compliance Management and Remediation’ or ‘Cloud Security Posture Management’.
- A Chef Sales representative will get back to you and help you get started with a Free or Trial subscription.
To summarize, these are the changes that we are announcing today:
1. Chef InSpec 6 comes with InSpec Parallel, a feature that allows multiple compliance audit checks to run simultaneously on multiple targets. This feature enables faster outputs, quicker audits, and remediation and ultimately helps save time managing compliance.
2. We are standardizing three licensing tiers: Free, Trial and Commercial.
- Commercial customers will continue to receive all the features and benefits they are entitled to as per their subscription. These customers can access the commercial license key from the customer support portal.
- Open-source users will still have access to the Chef InSpec code committed in the GitHub repository, but commercially distributed executables will now require a license key to run.
- Commercial distributions will be introduced with Free and Trial options alongside the Commercial license, giving users more clarity in choosing the licensing tier that suits their needs.
The Chef team is committed to improving our products and services, providing greater value to our customers, and supporting the Chef community with innovative solutions for managing compliance and cloud security. Chef InSpec 6 and the introduction of standardized licensing tiers is a step in that direction.
Find out more about Chef InSpec 6 by visiting our various resources below.