Puppet starts scanning Forge modules, launches new compliance tools

Puppet starts scanning Forge modules, launches new compliance tools

IT automation tooling provider Puppet has announced a couple of additions for its tooling ecosystem this week, making it easier for users to stay safe and compliant.

The most important of the enhancements surely is a malware scanning component for Puppet’s module catalogue Puppet Forge. The new addition checks files and their contents for malicious code and flags potentially unsafe uploads. To get a comprehensive report, it makes use of the VirusTotal upload API, which is said to aggregate results from over 70 antivirus scanners and URL blocklists.

According to Puppet, the company isn’t planning to scan all existing modules retroactively, as it wants to avoid zero-day vulnerabilities. Instead, it plans to start by analysing all new releases of supported modules, working its way up to partner supported and approved modules. The plan is to be able to check all new versions as they are published by the end of the year. 

With the scanner implemented, the Puppet team is able to tackle other security-related features as well. This makes it possible to put some ambitious things on the roadmap — like the long-requested ability to get a module’s quality score before releasing it, and even a reworking of the quality scores themselves.

Inside the Forge are also a couple of interesting new additions — namely Compliance Enforcement Modules (CEM) for Windows and Linux nodes. These premium modules are part of a wider compliance initiative and by default enforce CIS compliance rules for the level 1 server profile on Puppet Enterprise managed nodes. If that isn’t strict enough, the modules are meant to be configurable, though the company already promised to add support for other compliance frameworks at a later stage.

Given the recent rise of interest in low- or no-code services, it’s also interesting to see Puppet putting in some work to have its enterprise offering play nicely with ServiceNow. The result is a second integration beside Puppet Spoke, which was announced earlier this year.

While Spoke was meant as a self-service way of setting up Puppet workflows, Service Graph Connector can be used to funnel data from Puppet Enterprise into ServiceNow’s configuration management database. The connector is now available in the ServiceNow store as an option to improve visibility into configuration components in order to catch misconfigurations more quickly and provide data necessary for sensible decision making.