What’s new in InSpec 5?

InSpec 5 has many new features – including over a dozen new resources, lots of minor fixes, and cleanup of some old code. InSpec 5 enables database users to secure their data and protect against vulnerabilities by safeguarding database management systems, protecting it from cyber-attacks and creating custom policies. Today we will focus on three new features that relieve pain points our customers have called out and enable accelerated Compliance as Code. The Progress Bar Reporter gives a more responsive feel and eases performance diagnosis. Gem Dependencies in Profiles solves software distribution woes, and Code Generation for Custom Resources accelerates profile authoring for advanced use cases. We are very excited to get these new features into more InSpec users’ hands.

Progress Bar Reporter

Command-line users of InSpec have long been frustrated by its unresponsiveness. Especially on extensive profiles, InSpec will seem to “hang,” producing no CLI output until finished, then finally gushing forth all the results. Users have longed for a more interactive experience, especially when diagnosing a long-running control.

In InSpec 5, a new type of internal feature called the streaming reporter interface was developed, allowing real-time results to be obtained. This feature has many possibilities, such as pushing results to a publishing API or streaming results to a GUI. As a demonstration of its power, the first streaming reporter we developed is a command-line interface feature called the Progress Bar Reporter.

Use the progress bar reporter like any other output format by specifying it on the command line.

inspec exec profilename --reporter progress-bar

You may use it in combination with other formats to get JSON output to a file, while enjoying real-time progress-bar output.

inspec exec profilename --reporter progress-bar,json:myfile.json

The progress bar reporter produces a progress bar at the bottom of the screen while emitting the name of the last complete control and its status as each control finishes. This allows you to diagnose long-running controls.

Gem Dependencies in Profiles

One recurring problem that has plagued profile authors is that profiles do not provide any way to declare software dependencies. For example, the CIS MongoDB profile relies on the mongodb RubyGem for database connectivity. Still, there was no way to express this dependency without adding it to the core of InSpec. Other workarounds have included creating a Train plugin to carry RubyGem dependencies – this was done in the case of train-aws and has led to continuous issues with keeping the resource pack, train driver, and InSpec version in sync. Clearly, a better solution is needed.

With InSpec 5, profiles can now directly declare gem dependencies from the inspec.yml metadata file. At initial profile load time, InSpec asks the user if they would like to install the gem dependencies (to avoid this prompt, pass the --auto-install-gems option). The gems are then installed to InSpec’s private gem installation area, under ~/.inspec/gems. If the gems are already installed, no prompting occurs, of course.

This process streamlines gem dependency resolution and makes profiles much more bullet-proof. It keeps gem dependency information where it belongs – in the profile – and lets inspec manage the gems that it needs to manage. Progress Chef is eager to learn how this feature is received by the InSpec community and understand what problems it may solve.

Code Generation for Custom Resources

For advanced users of InSpec, authoring a profile often means repeating the same logic over and over – for example, the commands to connect to a database, or to examine the packages installed in a container. Following the software engineering principle of DRY (Don’t Repeat Yourself), the standard practice is to refactor that repetitive code into a reusable custom resource that can be used repeatedly within your profile (and, if shared as a resource pack, within other profiles as well).

However, creating custom resources is a tricky business. Getting the inheritance hierarchy correct is challenging, and there is the matter of including tests for your resource as well – a chore not everyone finds enjoyable. Until recently, some thin documentation and examples were the author’s only help in this area. Now InSpec 5 offers a powerful code generator in the form of the inspec init resource command. Using the command, InSpec will generate a custom resource, complete with documentation template, test template, and correctly defined code structure, ready for you to insert your custom business logic.

The code generator is flexible, too. Using the --layout option, it can generate a custom resource for a resource pack (the default) or it may be used to generate a new core resource if the author wishes to contribute to the InSpec project itself. You can also specify to use a different template, such as the plural template, to generate a plural resource (see: Understanding Singular and Plural InSpec Resources). Look for more template options in the future as we add support for more use cases – your contributions are welcome here!

Conclusion

The InSpec team has worked hard since the release of InSpec 4 to bring you new features that will be useful to you, the InSpec user. This release will help protect the data, the host, and the cloud and scale for the cloud with ease of use. We are very excited to hear what you have to say about the new release. Grab your copy of Chef InSpec 5 today!

Posted in:
Tags:

Clinton Wolfe

Clinton Wolfe is the Engineering Manager for the Progress Chef InSpec and Cloud Resource teams. A hands-on technologist in the web application and DevSecOps spaces for over twenty years, Clinton has seen several computing paradigms come and go, but the need for security at scale has remained constant. In his free time, he enjoys building farm machinery out of Lego Technic and emceeing the Philadelphia DevOpsDays conference.

Chefconf Blog Banner Bottom

Chefconf September 12-13 2022
image_334

FOLLOW @CHEF