Compliance is one of the main requirements in modern application development. Compliance enables the applications to align to defined enterprise standards. It comprises Security and other rules of target deployment environment and technologies. Understanding compliance in an early stage of development will allow teams to address the same before it moves to production or any higher environments.

What it does

GitHub is one of the main DevOps frameworks with the largest community support. With the addition of GitHub actions and GitHub Advanced Security, this tool become one of the main DevOps orchestrators for end-to-end DevOps implementation. Chef InSpec is an automation framework to enable Compliance testing. This project is to build a GitHub action using Chef InSpec to run the Azure Compliance check as part of GitHub workflows. Combining the power of Chef InSpec with the flexibility of GitHub actions enables a community-driven, reusable baseline development for Compliance verification. This project target Azure Compliance verification and can be extended to support other platforms.

How we built it

GitHub actions are one of the main talks in the DevOps community. Whereas, security or compliance is of the highest priority in this cloud-adopted remote-enabled work culture. We combined the power of InSpec with the flexibility of the GitHub custom action framework to define the custom action for Azure compliance check.

The project consists of two parts

  1. Azure Compliance action: GitHub custom action with a sample InSpec profile for integrating the InSpec tests with GitHub workflows. Refer to the same at
  2. Azure compliance test pack: Set of azure compliance tests defined as a baseline. Initial tests related to the web app and storage account can be found in the repo, open for community collaboration to develop a complete Azure compliance baseline test. Refer to the baseline setup at

Challenges we ran into

Few technical challenges faced as part of the journey related to the custom GitHub action development, passing data between different components, and a few InSpec clause areas. Needs to explore more about the registry management in cloud-based VM and access the same from InSpec

Accomplishments that we're proud of

Proud to define a custom GitHub action, which adds value for the community. Following are some of the learning

  1. Custom GitHub Action - can be used by the tech community
  2. Azure Compliance Test baseline - useful for the tech community

What we learned

Great learning through this challenge. Understand the InSpec framework and the importance of the same in DevSecOps world. Also, explored dev-sec, which will enable the quick compliance tests for the on-premise environment.

What's next for Azure Compliance Automation using Chef InSpec & GitHub actions

Planning the following elements as phase 2, which came with few technical challenges

  1. Storing the test result as a part of the artifact and upload to the artifact store
  2. Single action or multiple actions for on-premise and AWS

Built With

  • github
  • github-action
  • inspec
  • inspec-azure
  • yaml
Share this project: