Modal Title

Chef Adds Dependency Management, Compliance to its Workflow Software

Mar 11th, 2016 8:17am by
Featued image for: Chef Adds Dependency Management, Compliance to its Workflow Software

Building out the features of it Chef Delivery workflow management tool, Chef has added a dependency management feature to ensure all the dependencies of a project are met before it can move forward.

The company also released a set of industry-specific pre-packaged policies for its Chef Compliance scanning tool, based on a Center for Internet Security benchmarks.

Chef Delivery automates changes to infrastructure, runtime environments and applications, but also offers a framework for automated testing and continuous integration and delivery.

“Delivery is an end-to-end solution. It’s not a framework to build a delivery pipeline, it’s a single pipeline that everyone uses. Because of that, it allows a team to pin a dependency on another team without having to verbally, or email or in any way notify the other team that they depend on them,” explained Alex Ethier, Chef vice president of product.

He gave this example: A team in the United States depending on something a team in the UK is building. The U.S. team needs to know every time the UK team pushes a change, and the UK team might forget and things start to break.

The U.S. team could just set a dependency on the UK team and not even have to tell them.

“When you use a single pipeline, it knows who depends on whom. Every time the team in the UK publishes changes to the application, the software in the U.S. also would get retested as part of that delivery process. It’s completely automated and completely seamless. If there are issues, they can collaborate with a single tool in a single place through a single pipeline,” he said.


Chef has beefed up workflow tools since announcing $40 million in new funding last September and its acquisition of German compliance technology vendor VulcanoSec. It’s weaving VulcanoSec automation into the Dependency Management pipeline.

Testing with compliance as code can help teams increase security and deliver software faster, Ethier said.

“We’ve been looking at compliance as something you do after the fact, meaning you have servers, they have stuff on them, then we audit them to make sure they’re compliant,” he said.

“But with compliance policies described as code, you can incorporate this in your software delivery workflow. You can test for changes, you can test for quality like we’ve been doing for years — unit tests, functional tests — you can also now test for compliance. So when you’re delivering Chef cookbooks or infrastructure code through Delivery, you can make sure the change you’re about to do will not break your desired state of compliance.

“If you deploy to production and then scan for compliance, there’s always going to be a window of time when you’re exposed,” he said.

Chef’s InSpec testing framework for specifying compliance, security and policy requirements allows teams to set up controls and test against these controls, Ethier explained. While companies might want to create their own policies, Chef on Thursday also released pre-baked policies based on the Level 1 and Level 2 recommendations for Center for Internet Security (CIS) benchmarks, on which Payment Card Industry (PCI) and other standards are based. They’re available for Windows and Linux.

You can find short demos of the new features here.

Analyst Chris Riley sees Chef as moving in the right direction.

The compliance functionality will really help organizations justify taking the next step in modern software delivery and treat infrastructure truly as code, where every script is an artifact in the delivery chain down to compliance details, he said.

“It’s not uncommon for organizations to look at their Chef scripts on a one-by-one basis and not as part of the broader delivery process. So by adding, even more, functionality that is meant to take a broader look at the entire orchestration processes, and how it connects into the delivery chain is great,” he said. “It is what is required for enterprises to build fully integrated and automated environments.”

So many people call what they do continuous integration and continuous delivery, he says, but when you take a closer look, there is still a gated process in between manual ones.

“Where I see a challenge is in the way vendors are talking about their solutions, and ultimately the increased confusion and frustration about what solutions really do,” he said. “Many vendors seem to be hinting at something that looks and feels like a one-stop shop DevOps hub when really they are just one piece of the puzzle.”

CloudBees has released a continuous delivery-as-a-service product, and Docker has launched a containers-as-a- service package, which both try to be the pivot point for all DevOps activity, Riley said. “I anticipate that this will just slow some adoption down, as organizations really figure out who does what.”

Feature Image: “Krispy Kreme Assembly Line” by Steve Jurvetson, licensed under CC BY-SA 2.0.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.
TNS owner Insight Partners is an investor in: Docker.