Securing cloud infrastructure is only half the battle. Maintaining security posture over time as resources are modified is the real challenge. Compliance-as-Code treats security requirements as unit tests, allowing them to be run automatically with every code change.
Using Chef InSpec, we can write human-readable test files that audit Docker images, Kubernetes clusters, and operating system packages before they reach production.
1. Writing InSpec Compliance Rules
InSpec allows you to define declarative rules for checking system states. For example, the following rule audits a Docker image or VM to ensure SSH is not running and specific ports are closed:
control 'secure-port-policy' do
impact 1.0
title 'Verify only authorized ports are listening'
desc 'Check listening ports to reduce attack surface'
describe port(22) do
it { should_not be_listening }
end
describe port(80) do
it { should be_listening }
end
end2. Integration with Bitbucket Pipelines
To run these audits automatically, we integrate the InSpec scanner into our CI/CD pipelines. If a test fails (e.g., a developer introduces an unauthorized package or opens a port), the pipeline halts, preventing the build from deploying:
image: chef/inspec:latest
pipelines:
default:
- step:
name: Infrastructure Compliance Scan
script:
- inspec exec inspec/pipeline-compliance -t docker://$CONTAINER_IDThis automated check ensures your infrastructure remains secure and compliant with every release.