Support Inspec profiles #24724
Replies: 15 comments
-
For new package managers we generally approach the problem in 3 steps:
So to start with, can you provide an example profile that includes references to chef, custom and git repositories? |
Beta Was this translation helpful? Give feedback.
-
Inspec itself includes examples for its tests: https://github.com/inspec/inspec/tree/master/examples With the meta profile, you have supermarket, git and url dependencies: https://github.com/inspec/inspec/tree/master/examples/meta-profile With the inheritance profile, you have local dependencies: As far as I know, the only place (except the git tag and tar.gz artifact) where I see a version number is the Inspec also creates an inspec.lock file with the command |
Beta Was this translation helpful? Give feedback.
-
Can you point me to specific lines/sections of the files in the example tests? It's too complex for me to grok immediately. Specifically I'm looking for the types of references that you'd expect Renovate to update. |
Beta Was this translation helpful? Give feedback.
-
These examples do not keep their inspec.lock files so I generated them with For the meta-profile https://github.com/inspec/inspec/tree/master/examples/meta-profile:
For the inheritance profile https://github.com/inspec/inspec/tree/master/examples/inheritance:
As you can see in this other profile the version appears in the version field and is equivalent to a git tag: |
Beta Was this translation helpful? Give feedback.
-
To improve further, I altered the meta-profile with the following inspec.yml:
Notice that it uses a git dependency with a version constraint.
The version constraint is reported in the lock |
Beta Was this translation helpful? Give feedback.
-
By the way, in order of difficulty for us:
Right now we don't do the third one for many managers at all. e.g. if you configure an npm dependency to have version So in terms of implementation I would aim to first support simple updating of versions in Inspec (e.g. 1.0.0 -> 1.0.1) and then pinning of versions (assuming ranges are supported) and then finally going from no version to a pinned version. We'd also have to decide if we call "updating from no version to an exact version" to be "pinning" or if we need a new term to differentiate it |
Beta Was this translation helpful? Give feedback.
-
I don't know if ranges are supported and if "pinning" is the correct term. I am not a member of the Inspec team. I think, we should work with them. @aaronlippold @skpaterson and @chef your thoughts on that ? |
Beta Was this translation helpful? Give feedback.
-
hi @micheelengronne and @rarkins - apologies for the delay in responding. Adding InSpec support in Renovate looks interesting, I'll mention to our product folks this side. Vendoring effectively pins all profile dependencies. As far as I'm aware we cannot currently specify ranges of profile versions. For info, there's more detail here on InSpec profiles and versioning: https://www.inspec.io/docs/reference/profiles/ |
Beta Was this translation helpful? Give feedback.
-
With the custom manager, it is possible to handle dependencies. What is missing though are datasources. Inspec dependencies can be stored on a local path, an url, |
Beta Was this translation helpful? Give feedback.
-
I think, we can handle the lock update indirectly if the custom script feature is implemented. |
Beta Was this translation helpful? Give feedback.
-
It seems that #5202 can fulfill my usecase. I will try it. |
Beta Was this translation helpful? Give feedback.
-
Hi @micheelengronne , how did you implement the update of inspec.yml? |
Beta Was this translation helpful? Give feedback.
-
Hi @tbugfinder, I added my deps that way in inspec.yml:
And in renovate config:
|
Beta Was this translation helpful? Give feedback.
-
Excellent. Thank you |
Beta Was this translation helpful? Give feedback.
-
Hi there, You're asking us to support a new package manager. We need to know some basic information about this package manager first. Please copy/paste the new package manager questionnaire, and fill it out in full. Once the questionnaire is filled out we'll decide if we want to support this new manager. Good luck, The Renovate team |
Beta Was this translation helpful? Give feedback.
-
I would like to be able to handle my inspec profiles dependencies with renovate.
Inspec https://www.inspec.io/ is an evolution of serverspec to test systems and infrastructures.
It has a packaging system. A package is called a profile in the Inspec world.
An Inspec profile can have dependencies and a lock file.
I would like to fetch profiles from chef repositories, custom repositories and git repositories.
Thanks.
Beta Was this translation helpful? Give feedback.
All reactions