Shadow-Soft and Chef Partner to Create a Compliance Profile

Chef is a leader in Continuous Automation software and one of the earliest practitioners and advocates of the DevOps movement. Chef works with the most innovative companies around the world to deliver their vision of digital transformation, providing the practices and platform to deliver software at velocity.

Shadow-Soft is an open source-focused integrator that offers consulting and managed services across three specialties: DevOps, Application Infrastructure, and Cloud. The team are mavens in open software and open standards. Shadow-Soft helps customers “Take the Power Back” from proprietary vendors and take control of their technology future with open source.

The Challenge

Chef needed a partner with domain expertise and a history of success.

Chef received a number of requests from customers for a STIG compliance profile with associated meta profiles. Chef wanted to create this profile to add value to their Chef InSpec product offering.

This project involved converting STIG SCAP Data via InSpec SCAP and filling in the holes that SCAP content has. Chef needed a partner that had domain expertise across Chef, InSpec, Security, and STIGs.

The Chef team had been impressed by Shadow-Soft’s recent Chef work, and saw the company as a thought leader in the industry. Shadow-Soft’s unique insight and domain expertise made it an appealing partner company to work with on this project.

The Solution

Shadow-Soft helped Chef create a Compliance profile that could be used to evaluate security posture as referenced in DISA’s RHEL 6 STIG.

Shadow-Soft was tasked with interpreting preexisting STIG content and turning it into an automated STIG Compliance profile. The STIG was chosen because it is the standard security profile used by the DoD and often adopted by commercial enterprises.

The Shadow-Soft consulting team developed a compliance profile with associated meta profiles to represent the nine security levels of the RHEL 6 STIG.

After a thorough round of testing and validation to ensure it met security standards, the end product was a ready-to-go compliance profile for the RHEL 6 STIG.


Chef customers can now use this new product to run compliance scans on their environments and quickly report on the security posture of their systems. With this enhancement to Chef InSpec, customers can use Chef Automate and InSpec in more ways than ever.

“Security isn’t just a private sector problem; Chef recognizes that the federal space wants to use its product. With new features like STIG Compliance Profiles and FIPS mode, it shows Chef listens to customers and responds to their needs.”

– John Ray, Lead Consultant at Shadow-Soft

“Chef is committed to help customers detect and correct compliance and security issues, and to help them maintain continuous compliance by automating the process with InSpec. Shadow-Soft has played a key role in helping us expand our InSpec coverage to in important security areas. Together we are helping more customers maintain secure systems through automated compliance checking.”

– James Casey, Head of Partner Engineering and Integration at Chef

Download This Case Study

  • This field is for validation purposes and should be left unchanged.