InSpec in CI/CD & pipelines

Gate images and infra on compliance.

Advanced12 min · lesson 11 of 12

InSpec fits CI/CD wherever you want to gate on compliance rather than just deploy it. Two common places: gate a machine image or container by running the baseline against it in the build pipeline before it is published (a non-compliant image never ships), and gate infrastructure by running cloud-transport controls against a freshly-deployed sandbox. The non-zero exit on failure makes it a gate; the JSON report makes it evidence, in the same run.

CONTINUOUS-COMPLIANCE LOOP
Gate at build
Build image / container
the candidate
Run baseline in pipeline
with waiver file
Non-zero exit fails build
non-compliant never ships
Monitor at runtime
Scheduled fleet scans
same profile
Detect drift
changed since deploy
Feed dashboard
posture over time
Throughout
Waivers
accepted risks stay explicit
Gate at build so nothing non-compliant ships; monitor at runtime so nothing drifts unnoticed.
.gitlab-ci.yml
image-compliance:
script:
- docker build -t app:candidate .
- inspec exec cis-container-baseline -t docker://$(docker create app:candidate) \
--waiver-file waivers.yaml \
--reporter cli json:compliance.json
# non-zero exit on un-waived failures fails the pipeline; archive compliance.json
artifacts: { paths: [compliance.json] }

Continuous compliance

Beyond build-time gating, run profiles on a schedule against running fleets to catch drift — a server that was compliant at deploy but changed since — feeding results to a dashboard so posture is monitored, not just checked once. Combine both: gate at build (nothing non-compliant ships) and monitor at runtime (nothing drifts unnoticed), with waivers keeping accepted exceptions explicit throughout. This is the continuous-compliance loop InSpec exists to enable.

Gate on impact and honor waivers, or the gate is noise or theatre
Two failure modes for InSpec in CI: gating on every failure regardless of impact blocks pipelines on trivia (teams disable it), while ignoring failures or waiving everything makes the gate meaningless. Fail the build on un-waived high-impact controls, honor a reviewed waiver file for accepted risks, and report the rest — the same tuning discipline as any scanning gate. A compliance gate is only useful if it blocks what matters and nothing else.