The Mondoo team is excited to announce the release of the Mondoo plugin for Hashicorp Packer, a powerful tool for securing and validating machine images.
Security vulnerabilities and misconfigurations expose your infrastructure to attackers, whether you are building your applications on Linux, Windows, Kubernetes, virtual machines, containers, or any combination thereof. It’s critical that businesses today have an automated machine image pipeline that includes security scanning.
Since its release in 2013, HashiCorp Packer has been the standard for many DevOps teams to automate machine image builds. With Packer, organizations can use a single source template to produce machine images for multiple platforms such as public cloud, private cloud, containers, and local development environments. Codifying machine images helps businesses deliver software more quickly, with higher reliability and greater stability.
Today we are pleased to announce the release of our open source plugin for HashiCorp Packer. Using Mondoo’s advanced policy-as-code engine to test builds for vulnerabilities and misconfigurations, Packer Plugin Mondoo helps you validate the security of machine images produced from Hashicorp Packer templates.
Policy as code
Mondoo curates an ever-increasing library of certified security policies and benchmarks, many of which are certified by the Center for Internet Security (CIS). You can quickly enable and customize these policies to meet the needs of your particular environment. You execute these policies as part of any Packer pipeline to ensure your images meet the requirements of your business.
A Mondoo policy is made up of queries, each of which checks for an individual security practice. To customize a policy in Mondoo Platform, you enable, disable, and ignore queries.
Mondoo policies can be easily customized to meet your organization’s requirements
Policy as code with Mondoo Query Language (MQL)
The details of a query in a Mondoo policy
Written in YAML, Mondoo policies are easy to develop! Should the need arise to create your own policies, Mondoo Query Language (MQL) is a powerful and alternative way to test any of your business-critical infrastructure.
Install Packer Plugin Mondoo with
Packer 1.7 introduced the
packer init command, which simplifies the installation and management of Packer plugins using HashiCorp Configuration Language (HCL) templates.
Configure the installation of Mondoo Packer Plugin in an HCL template
To install Packer Plugin Mondoo, enter this command:
Packer Plugin Mondoo returns this message on success:
To fail or not to fail?
Packer Plugin Mondoo’s
score_threshold defines image scan success. This threshold is the minimum score that an image must achieve in order to succeed. If the image doesn’t meet the score threshold, the plugin can fail so that you can address any vulnerabilities or misconfigurations. Alternatively, it can continue creating the image.
Continuous security visibility
Regardless of whether you choose to fail or continue a build when Mondoo finds vulnerabilities and misconfigurations, Packer Plugin Mondoo provides a record of that scan.
View scan results in STDOUT
Mondoo scans execute during the
packer build process. Packer Plugin Mondoo returns results directly to STDOUT, providing visibility from your terminal or CI pipeline.
Results of a Packer Plugin Mondoo in STDOUT
View scan results in Mondoo Platform
Packer Plugin Mondo also sends build scan results to Mondoo Platform. Graphical views provide a record of the build and the results from the scan.
Scan results displayed in Mondoo Platform
Clear and actionable results
Mondoo policies provide documentation, audit steps, and remediation for each security query. You and your team know exactly what to do when security vulnerabilities and misconfigurations are found.
Mondoo policy details
Get started today!
We’re excited for you to try our Packer plugin today! The easiest way to get started is to sign up for a free Mondoo account and then check out the new tutorial on our docs site: Assess HashiCorp Packer Machine Image Security with cnspec.
Come join us in our Slack community and meet others practicing security automation.
There’s more to come!
Here at Mondoo, we have so much more on the horizon—not just for Packer, but for all things HashiCorp. Stay tuned for more announcements coming soon.