Steampunk Spotter

Check out the checks in Spotter

June 5, 2023 - Words by  The Spotter team - 3 min read

Steampunk Spotter, an Ansible Playbook Platform, includes a variety of checks that improve the quality, reliability, and security of your Ansible Playbooks. The checks are divided into several categories:  

Best practice checks

Best practice checks help you write playbooks that keep a common standard and aim to be more consistent, reliable, and readable. They also support the Red Hat Ansible Best Practice guide.

  • Check for fully qualified collection names (FQCN) and automatically apply rewrites.

  • Check for inline parameters and get suggestions for simpler rewrites.

  • Check if the file mode is set and configured correctly.

  • Check if modules are certified.

  • Check for Ansible requirements file (requirements.yml), version mismatch, and missing collections.

  • Check playbooks for clearly defined names for each play, improving organization and enabling easier identification and management of different tasks.

  • Check for best practices in syntax and secure scripting by validating proper spacing in templates and discouraging the use of interactive prompts in automation environments.

Validation checks

Spotter validation checks serve to enforce playbook integrity by ensuring that all modules, parameters, and their values are correctly defined and applied. These checks also scrutinize playbooks for accurate syntax and adherence to expected formats, thus preventing errors during execution across diverse environments.

  • Check if parameters are deprecated, required, or unknown.

  • Check for missing arguments, reserved variables, and default value changes.

  • Check for specific conditions depending on parameter values.

  • Check the stdout callback. 

  • Check for short names with alternatives. 

  • Check for callback with FQCN. 

They allow you to perform validation on arbitrary versions of Ansible and Ansible Collections, ensuring your playbooks are always supported with target versions. These checks are also used to support upgrades of Ansible Playbooks and help you keep them up to date.

  • Check for removal or renaming of modules, and removal, or deprecation of parameters.

  • Check for allowed value changes and default parameter value changes.

  • Check the defined connection option. 

  • Define the required Python version for a specific Ansible version. 

  • Get warnings about changes in return values in different Ansible versions. 

  • Support for migrating your Python virtual environment (venv) to Ansible Execution Environment (EE).

Checks are based on publicly available Ansible Porting Guides. You no longer have to follow all the necessary changes in Ansible as Spotter automatically warns you about them.

Spotter ensures you always keep up to date with the progress of Ansible, facilitating upgrades of the Ansible core engine and Red Hat Ansible Automation Platform. 

Security checks

They are used to prevent security vulnerabilities in code infrastructure and ensure the secure execution of automation. They help you proactively evaluate runtime security threats and prevent security breaches. They allow you to follow the industry’s security best practices, and not only that, but you can also define your internal security team standards.

Custom rules and policies checks

They allow you to define your very own custom rules and policies. You are able to configure your specific requirements and use cases, which allow you to enhance the security of your playbooks the way you envisioned it. This includes defining new corporate policies and further specifying Ansible Playbook standards to achieve highly customizable automation.

  • Specify modules/collections that are allowed.

  • Define specific naming conventions.

  • Limit required values on specific modules and entities (exposed ports, VM size, and so on).

  • Have custom security rules, for example, to comply with Center for Internet Security (CIS) or Health Insurance Portability and Accountability Act (HIPAA) standards.

Because the custom rules and policy support are based on Open Policy Agent (OPA), existing OPA-based policies may be included in Spotter with minimum additional effort.

Spotter considers the security of Ansible Playbooks by static analysis of playbooks considering security best practices provided by vendors, such as cloud providers. 

Skipping and enforcing checks feature

  • Spotter enables users to selectively skip or enforce checks in their automation workflows, tailoring the process to specific requirements and standards.

  • Spotter offers organization, scan, and task-level configurations, allowing for detailed management of checks from broad organizational policies to specific task-level adjustments.

See a comprehensive catalogue of all available checks in Spotter, including examples of “good and bad” Ansible Playbooks showcasing the check.

Found this post useful?

Get our monthly newsletter.

Thank you for subscribing!

Please wait

Processing, please wait...

Keep up with what we do on our social media.