The Mondoo team is excited to announce the release of the Mondoo plugin for Hashicorp Packer, a powerful tool for securing and validating machine images.
Security vulnerabilities and misconfigurations expose your infrastructure to attackers, whether you are building your applications on Linux, Windows, Kubernetes, virtual machines, containers, or any combination thereof. It’s critical that businesses today have an automated machine image pipeline that includes security scanning.
Since its release in 2013, HashiCorp Packer has been the standard for many DevOps teams to automate machine image builds. With Packer, organizations can use a single source template to produce machine images for multiple platforms such as public cloud, private cloud, containers, and local development environments. Codifying machine images helps businesses deliver software more quickly, with higher reliability and greater stability.
Today we are pleased to announce the release of our open source plugin for HashiCorp Packer. Using Mondoo’s advanced policy-as-code engine to test builds for vulnerabilities and misconfigurations, Packer Plugin Mondoo helps you validate the security of machine images produced from Hashicorp Packer templates.
Mondoo curates an ever-increasing library of certified security policies and benchmarks, many of which are certified by the Center for Internet Security (CIS). You can quickly enable and customize these policies to meet the needs of your particular environment. You execute these policies as part of any Packer pipeline to ensure your images meet the requirements of your business.
A Mondoo policy is made up of queries, each of which checks for an individual security practice. To customize a policy in Mondoo Platform, you enable, disable, and ignore queries.
Written in YAML, Mondoo policies are easy to develop! Should the need arise to create your own policies, Mondoo Query Language (MQL) is a powerful and alternative way to test any of your business-critical infrastructure.
packer init
Packer 1.7 introduced the packer init
command, which simplifies the installation and management of Packer plugins using HashiCorp Configuration Language (HCL) templates.
To install Packer Plugin Mondoo, enter this command:
Packer Plugin Mondoo returns this message on success:
Packer Plugin Mondoo’s score_threshold
defines image scan success. This threshold is the minimum score that an image must achieve in order to succeed. If the image doesn’t meet the score threshold, the plugin can fail so that you can address any vulnerabilities or misconfigurations. Alternatively, it can continue creating the image.
Regardless of whether you choose to fail or continue a build when Mondoo finds vulnerabilities and misconfigurations, Packer Plugin Mondoo provides a record of that scan.
Mondoo scans execute during the packer build
process. Packer Plugin Mondoo returns results directly to STDOUT, providing visibility from your terminal or CI pipeline.
Packer Plugin Mondoo also sends build scan results to Mondoo Platform. Graphical views provide a record of the build and the results from the scan.
Mondoo policies provide documentation, audit steps, and remediation for each security query. You and your team know exactly what to do when security vulnerabilities and misconfigurations are found.
We’re excited for you to try our Packer plugin today! The easiest way to get started is to sign up for a free Mondoo account and then check out the new tutorial on our docs site: Assess HashiCorp Packer Machine Image Security with cnspec.
Come join us in our Slack community and meet others practicing security automation.
Here at Mondoo, we have so much more on the horizon—not just for Packer, but for all things HashiCorp. Stay tuned for more announcements coming soon.