InSpec in CI/CD & pipelines
Gate images and infra on compliance.
InSpec fits CI/CD wherever you want to gate on compliance rather than just deploy it. Two common places: gate a machine image or container by running the baseline against it in the build pipeline before it is published (a non-compliant image never ships), and gate infrastructure by running cloud-transport controls against a freshly-deployed sandbox. The non-zero exit on failure makes it a gate; the JSON report makes it evidence, in the same run.
image-compliance:script:- docker build -t app:candidate .- inspec exec cis-container-baseline -t docker://$(docker create app:candidate) \--waiver-file waivers.yaml \--reporter cli json:compliance.json# non-zero exit on un-waived failures fails the pipeline; archive compliance.jsonartifacts: { paths: [compliance.json] }
Continuous compliance
Beyond build-time gating, run profiles on a schedule against running fleets to catch drift — a server that was compliant at deploy but changed since — feeding results to a dashboard so posture is monitored, not just checked once. Combine both: gate at build (nothing non-compliant ships) and monitor at runtime (nothing drifts unnoticed), with waivers keeping accepted exceptions explicit throughout. This is the continuous-compliance loop InSpec exists to enable.