ansible-inspec: Bridging Infrastructure Automation and Compliance Testing

A Developer's Journey into Compliance as Code

Hey there! πŸ‘‹

I want to share something I've been working on that completely transformed how I approach infrastructure compliance. You know those moments when you're managing dozens of servers and need to verify they all meet security requirements? Usually, you'd SSH into each one, run various compliance checks, maybe consult a 200-page CIS benchmark PDF (because who has those memorized?), and then manually piece together a report.

What if your infrastructure automation tool could just... do compliance testing for you?

That's exactly what I built with ansible-inspec β€” a bridge that lets you run InSpec compliance profiles using Ansible's inventory system, right where you already manage your infrastructure. And the best part? You can convert those Ruby-based InSpec profiles into pure Ansible collections that run without InSpec at all.

Let me show you what I learned along the way.

⚑ Quick Start (TL;DR)

For Python Users:

  1. Install via pip:

pip install ansible-inspec
  1. Run a compliance check:

ansible-inspec exec my-profile/ --target ssh://hostname \
  --reporter json --output report.json
  1. Or use Chef Supermarket profiles:

ansible-inspec exec dev-sec/linux-baseline --supermarket \
  --target ssh://hostname --reporter html --output report.html

That's it! No complex setup. Just compliance testing that works.

πŸ€” First, Let's Talk About the Compliance Problem

If you're managing infrastructure, you've probably felt this pain before.

The Problem I Kept Running Into

Think about your typical compliance workflow:

  1. You need to verify 50 servers meet PCI-DSS requirements

  2. You SSH into each one manually (or write a bash script)

  3. Run various commands to check configurations

  4. Copy results to a spreadsheet

  5. Compare against compliance requirements

  6. Generate a report for your security team

  7. Repeat this every month for audits

Sound familiar? It's like having two separate worlds β€” your automation infrastructure (Ansible) and your compliance testing (InSpec/manual checks) β€” that never quite talk to each other.

Enter ansible-inspec: One Tool, Two Powers

ansible-inspec changes the game completely. With it, you can:

  • βœ… Use your existing Ansible inventory for compliance testing

  • βœ… Run InSpec profiles without learning a new inventory system

  • βœ… Generate audit-ready reports in multiple formats (JSON, HTML, JUnit)

  • βœ… Convert InSpec profiles to pure Ansible (no InSpec installation needed!)

  • βœ… Access 100+ pre-built profiles from Chef Supermarket

  • βœ… Run compliance checks in parallel across your entire fleet

It's like upgrading from "two separate tools" to "one unified workflow."

Why This Matters for DevOps Teams

Before ansible-inspec:

With ansible-inspec:

No manual SSH sessions. No spreadsheets. No friction.

This is the bridge we needed between infrastructure automation and compliance testing.

πŸš€ What ansible-inspec Actually Does

So here's what I built. ansible-inspec is a production-ready tool that combines Ansible's inventory management with InSpec's compliance testing framework.

The Vision: What if compliance testing was as easy as running an Ansible playbook?

Instead of this old workflow:

You now just run:

And you get:

  • Parallel execution across all hosts

  • InSpec-compatible JSON reports

  • Interactive HTML dashboards

  • JUnit XML for CI/CD integration

Magic? No, just good engineering.

πŸ› οΈ The Toolbox: 3 Core Modes

I built ansible-inspec to work in three powerful modes:

1. Native InSpec Execution

Run existing InSpec profiles using your Ansible inventory.

Perfect for:

  • Using Chef Supermarket profiles (CIS benchmarks, DevSec baselines)

  • Testing with advanced InSpec resources (AWS, Azure, GCP)

  • Quick compliance checks without conversion

Example:

2. Profile Conversion (InSpec-Free Mode)

Convert Ruby-based InSpec profiles to pure Ansible collections.

Perfect for:

  • Air-gapped environments

  • Systems where InSpec can't be installed

  • Teams who prefer pure Ansible

  • Faster execution with native modules

Example:

Auto-generates:

  • Ansible roles from InSpec controls

  • Callback plugin for automatic reporting

  • Ready-to-use playbooks

  • Pre-configured ansible.cfg

3. Chef Supermarket Integration

Access 100+ pre-built compliance profiles from Chef Supermarket.

Available profiles:

  • CIS Benchmarks (Ubuntu, RHEL, Windows, etc.)

  • DevSec Hardening Baselines (Linux, SSH, Nginx, etc.)

  • DISA STIGs

  • PCI-DSS requirements

  • And many more...

Example:

🎯 Multi-Format Reporting

One of the game-changers is comprehensive reporting:

Reports include:

  • Pass/fail status for each control

  • Execution details and error messages

  • Platform information

  • Statistics and duration

  • InSpec schema v5.22.0 compatible (works with Chef Automate!)

πŸ’‘ The InSpec-Free Magic

This is my favorite feature. When you convert an InSpec profile:

  1. Conversion happens once:

  1. Distribution is easy:

  1. Execution requires ZERO InSpec:

  1. Reports are auto-generated:

The collection includes:

  • βœ… Converted Ansible tasks (pure native modules)

  • βœ… Callback plugin (auto-bundled)

  • βœ… Pre-configured ansible.cfg

  • βœ… Example playbooks

  • βœ… InSpec-compatible reporting

This means your production servers can run compliance checks without installing InSpec, Ruby, or anything extra. Just Ansible.

βš™οΈ Getting Started: Your First 10 Minutes

Alright, enough theory. Let's get this running!

Installation

Option 1: PyPI (Recommended)

Option 2: Docker

Option 3: From Source

The First Compliance Check

Step 1: Create a Simple Inventory

Step 2: Run a Supermarket Profile

Step 3: View Your Report

You'll see:

  • Pass/fail status for 60+ security controls

  • Which hosts passed/failed

  • Detailed failure reasons

  • Remediation guidance

That's it! You just ran a comprehensive security baseline across your infrastructure.

Going InSpec-Free

Want to run without InSpec? Convert it:

Result: Pure Ansible compliance testing with auto-generated reports!

πŸ”„ How It Works: The Architecture

Here's how ansible-inspec integrates everything:

System Architecture

ansible-inspec is built with a layered architecture that separates concerns and provides maximum flexibility:

spinner

Key Components:

  1. ansible-inspec CLI - Your main interface for all operations

  2. Core Engine - Orchestrates the entire compliance workflow

  3. Ansible Inventory - Uses your existing inventory files for target management

  4. InSpec Adapter - Wraps InSpec for profile execution with parallel processing

  5. Profile Converter - Transforms InSpec profiles into pure Ansible collections

  6. Reporter System - Generates multi-format reports (JSON, HTML, JUnit)

  7. Callback Plugin - Provides auto-reporting in InSpec-free mode

Execution Flow

The complete execution workflow from profile loading to report generation:

spinner

Sequence of Operations

Here's the detailed interaction between components during a typical compliance check:

spinner

The Flow (Native Mode):

  1. Profile Loading β†’ Loads InSpec profile (local or Supermarket)

  2. Inventory Parsing β†’ Uses Ansible inventory for targets

  3. Parallel Execution β†’ Runs InSpec against all targets using Ansible forks

  4. Result Aggregation β†’ Collects results from all hosts

  5. Report Generation β†’ Creates JSON/HTML/JUnit reports

  6. Output β†’ Saves to .compliance-reports/ directory

The Flow (InSpec-Free Mode):

  1. Profile Analysis β†’ Parses InSpec Ruby code

  2. Resource Mapping β†’ Maps InSpec resources to Ansible modules

  3. Collection Generation β†’ Creates Ansible collection structure

  4. Plugin Bundling β†’ Includes callback plugin

  5. Playbook Execution β†’ Runs as standard Ansible playbook

  6. Auto-Reporting β†’ Callback generates InSpec-compatible reports

This architecture keeps things simple while providing maximum flexibility!

Real-World Use Cases: Automating Personal Infrastructure

Here are practical examples of using ansible-inspec to automate compliance testing for personal lab environments.

Automating Linux Lab Server Compliance

For my personal Linux lab servers running Ubuntu and RHEL, I use ansible-inspec to maintain consistent security baselines:

Running CIS Benchmark Compliance:

Converting for InSpec-Free Execution:

K3s Cluster Security Validation

For Kubernetes lab environments, I validate both host-level and cluster-level security:

Host-Level Compliance:

Automated Compliance in Lab CI/CD:

Periodic Compliance Monitoring

Set up automated compliance reporting for lab infrastructure:

Schedule with cron:

πŸ’‘ Pro Tips from the Trenches

Here are some tricks I learned that make ansible-inspec even more powerful:

1. Parallel Everything

ansible-inspec runs checks in parallel by default, but you can tune it:

2. Filter by Tags

InSpec profiles have tags. Use them:

3. Use Variables in Converted Collections

Converted collections support Ansible variables:

The callback plugin picks these up automatically!

4. Archive Reports for Audit Trails

5. Create Custom Supermarket Searches

6. Combine with Ansible Vault

Protect sensitive inventory data:

πŸ› Troubleshooting

InSpec Not Found?

If you see "InSpec not found" errors in native mode:

Reports Not Generating?

Check the output directory:

Conversion Errors?

Some InSpec resources don't have direct Ansible equivalents:

Slow Execution?

Increase parallelism:

🌟 Why This is Game-Changing

Before ansible-inspec:

With ansible-inspec:

The difference?

  • ⚑ 50x faster - Parallel execution across your fleet

  • 🎯 More accurate - Uses your actual infrastructure inventory

  • πŸ”„ Integrated - Part of your existing Ansible workflow

  • πŸ“Š Better visibility - Rich reports in multiple formats

  • πŸš€ No vendor lock-in - Open source, works with Supermarket profiles

  • πŸ’° Cost effective - Free, GPL-3.0 licensed

πŸš€ Getting Started Today

3 Simple Steps:

  1. Install:

  1. Create inventory.yml:

  1. Run compliance check:

That's it! You now have compliance testing integrated with your Ansible infrastructure.

πŸ’­ Reflections: Why This Matters

I've been in DevOps for several years, and I've seen countless tools try to solve the compliance problem. Most add complexity, require new workflows, or lock you into proprietary systems.

ansible-inspec feels different.

It's not trying to replace your existing tools. It's bridging the gap between automation and compliance by leveraging what you already use:

  • Your Ansible inventory (you already have this)

  • InSpec profiles (100+ available on Supermarket)

  • Standard report formats (JSON, HTML, JUnit)

  • Optional InSpec-free mode (pure Ansible!)

This approach is profound. When your compliance tool:

  • Uses your existing inventory

  • Generates audit-ready reports

  • Integrates with CI/CD

  • Runs in parallel at scale

  • Works with or without InSpec

...it stops being "another compliance tool" and becomes part of your infrastructure workflow.

The Bigger Picture

ansible-inspec is one piece of a larger movement: Infrastructure as Code meeting Compliance as Code.

Imagine a world where:

  • πŸ”’ Every deployment is compliance-tested automatically

  • πŸ“Š Audit reports are generated in real-time

  • πŸš€ Compliance is part of the pipeline, not a separate process

  • 🌍 Teams share compliance profiles like they share Ansible roles

  • βœ… Security is validated continuously, not quarterly

We're building that world, one compliance check at a time.

An Invitation

If this inspires you, I'd love to see how you use it. Found a clever integration? Built a custom profile? Hit a use case I didn't mention?

The code is open source. Learn from it, improve it, contribute back. Let's make infrastructure compliance better together.

πŸ”— Resources

Ready to dive deeper?

Documentation:

Links:

  • 🌐 PyPI: https://pypi.org/project/ansible-inspec/

  • 🐳 Docker Hub: https://hub.docker.com/r/htunnthuthu/ansible-inspec

  • πŸ’» GitHub: https://github.com/htunn/ansible-inspec

  • πŸ“š Chef Supermarket: https://supermarket.chef.io

Quick Start Reminder:

πŸ’¬ Let's Connect

Built something cool with ansible-inspec? Found a clever use case? Hit a snag and need help?

I'd love to hear from you!

  • Drop a comment below

  • Open an issue on GitHubarrow-up-right

  • Share your compliance profiles with the community

The future of infrastructure compliance is being built right now, and you're part of it.

What will you automate with ansible-inspec? πŸš€


Thanks for reading! If this helped you, consider sharing it with your team. The more teams discover ansible-inspec, the better infrastructure compliance becomes for everyone.

β€” Happy automating! πŸŽ‰

Last updated