Securing cloud infrastructure is only half the battle. Maintaining security posture over time as resources are modified is the real challenge. Compliance-as-Code treats security requirements as unit tests, allowing them to be run automatically with every code change.

Using Chef InSpec, we can write human-readable test files that audit Docker images, Kubernetes clusters, and operating system packages before they reach production.

1. Writing InSpec Compliance Rules

InSpec allows you to define declarative rules for checking system states. For example, the following rule audits a Docker image or VM to ensure SSH is not running and specific ports are closed:

control 'secure-port-policy' do
  impact 1.0
  title 'Verify only authorized ports are listening'
  desc 'Check listening ports to reduce attack surface'
  
  describe port(22) do
    it { should_not be_listening }
  end
  
  describe port(80) do
    it { should be_listening }
  end
end

2. Integration with Bitbucket Pipelines

To run these audits automatically, we integrate the InSpec scanner into our CI/CD pipelines. If a test fails (e.g., a developer introduces an unauthorized package or opens a port), the pipeline halts, preventing the build from deploying:

image: chef/inspec:latest
pipelines:
  default:
    - step:
        name: Infrastructure Compliance Scan
        script:
          - inspec exec inspec/pipeline-compliance -t docker://$CONTAINER_ID

This automated check ensures your infrastructure remains secure and compliant with every release.