VCS Integration

This guide covers Git repository synchronization for InSpec profiles and job templates.

Overview

ansible-inspec can automatically sync InSpec profiles from Git repositories, supporting:

  • Periodic polling (configurable interval)

  • Manual sync triggers

  • Webhook integration (GitHub/GitLab)

  • Encrypted credential storage

  • Auto-import profiles as job templates

Setup VCS Credentials

Generate Encryption Key

python scripts/generate_encryption_key.py

Add to .env:

ENCRYPTION_KEY=your-fernet-key-here

Create VCS Credential

Option 1: Using API

SSH Key Authentication:

Token Authentication:

Option 2: Using UI

  1. Navigate to VCS Configuration page

  2. Click Add Credential

  3. Fill in details:

    • Name: github-profiles

    • Type: GitHub

    • Repository URL: https://github.com/org/profiles.git

    • Auth Method: SSH Key or Token

  4. Click Save (credentials are encrypted automatically)

GitHub Personal Access Token (PAT)

Create a PAT with repo scope:

  1. Go to GitHub Settings > Developer settings > Personal access tokens

  2. Click Generate new token (classic)

  3. Select scopes: repo (full repository access)

  4. Generate and copy token

SSH Deploy Key

Generate SSH key pair:

Add public key to repository:

  1. Go to Repository Settings > Deploy keys

  2. Click Add deploy key

  3. Paste public key content

  4. Enable "Allow write access" if needed

Use private key in VCS credential configuration.

Configure Repository Sync

Enable VCS Sync

Add Repository

Repository Structure

Organize your Git repository:

The system automatically detects directories containing inspec.yml.

Polling Configuration

Automatic Polling

Polling jobs are scheduled automatically when repository is created with sync_enabled: true.

Default interval: 15 minutes (configurable per repository)

Manual Sync Trigger

View Sync History

Response:

Webhook Integration

Enable Webhooks

Generate webhook secret:

GitHub Webhook Setup

  1. Go to Repository Settings > Webhooks

  2. Click Add webhook

  3. Configure:

    • Payload URL: https://your-domain.com/api/v1/webhooks/github/

    • Content type: application/json

    • Secret: Your webhook secret from .env

    • Events: Select "Just the push event"

  4. Click Add webhook

GitLab Webhook Setup

  1. Go to Project Settings > Webhooks

  2. Configure:

    • URL: https://your-domain.com/api/v1/webhooks/gitlab/

    • Secret token: Your webhook secret

    • Trigger: Push events

  3. Click Add webhook

Test Webhook

Profile Auto-Import

When auto_import: true, the system automatically:

  1. Scans repository for InSpec profiles (inspec.yml)

  2. Creates/updates job templates for each profile

  3. Sets profile path to synced repository location

  4. Preserves manual customizations to job templates

Job Template Naming

Auto-generated templates use format:

Example: compliance-profiles_linux-baseline

Customize Auto-Import Behavior

Create .ansible-inspec.yml in repository root:

Monitoring VCS Sync

Prometheus Metrics

Metrics:

  • vcs_sync_total{repository, status}: Total sync operations

  • vcs_sync_duration_seconds: Sync duration histogram

View Scheduler Jobs

Response:

Advanced Configuration

Multiple Repositories

Custom Poll Intervals

Different repositories can have different intervals:

Branch Strategies

Development + Production:

Troubleshooting

Sync Failures

Check logs:

Common issues:

  • Authentication failure: Verify credentials are not expired

  • Network error: Check firewall rules, DNS resolution

  • SSH key permission: Ensure private key has correct permissions (0600)

Profile Not Imported

Verify profile structure:

Webhook Not Triggering

  1. Check webhook delivery in GitHub/GitLab (Settings > Webhooks > Recent Deliveries)

  2. Verify payload URL is accessible from internet

  3. Check webhook secret matches .env configuration

  4. Review server logs for signature validation errors

Slow Sync Performance

  • Reduce poll frequency for large repositories

  • Use shallow clone (configure in VCS settings)

  • Enable delta sync (only check for changes, not full clone)

Security Best Practices

  1. Use read-only deploy keys when possible

  2. Rotate credentials regularly (every 90 days)

  3. Use dedicated service accounts for Git access

  4. Restrict repository access to necessary profiles only

  5. Audit sync logs for unauthorized access

  6. Validate webhook signatures before processing

  7. Use HTTPS for all repository URLs

  8. Store credentials encrypted (automatic with Fernet)

Migration from Manual Updates

Step 1: Create Git Repository

Step 2: Configure VCS Sync

Follow credential and repository setup above.

Step 3: Initial Sync

Step 4: Verify Import

References

Last updated