Chef Consulting


“Chef is committed to help customers detect and correct compliance and security issues, and to help them maintain continuous compliance by automating the process with InSpec. Shadow-Soft has played a key role in helping us expand our InSpec coverage in important security areas. Together we are helping more customers maintain secure systems through automated compliance checking.” 

– James Casey, Head of Partner Engineering and Integration at Chef


Chef is a leader in Continuous Automation software and one of the earliest practitioners and advocates of the DevOps movement. Chef works with the most innovative companies around the world to deliver their vision of digital transformation, providing the practices and platform to deliver software at velocity.


Chef needed a partner with domain expertise and a history of success.

Chef received a number of requests from customers for a STIG compliance profile with associated meta profiles. Chef wanted to create this profile to add value to their Chef InSpec product offering.

This project involved converting STIG SCAP Data via InSpec SCAP and filling in the holes that SCAP content has. Chef needed a partner that had domain expertise across Chef, InSpec, Security, and STIGs.

The Chef team had been impressed by Shadow-Soft’s recent Chef work, and saw the company as a thought leader in the industry. Shadow-Soft’s unique insight and domain expertise made it an appealing partner company to work with on this project.


Shadow-Soft helped Chef create a compliance profile that could be used to evaluate security posture as referenced in DISA’s RHEL 6 STIG.

Shadow-Soft was tasked with interpreting preexisting STIG content and turning it into an automated STIG Compliance profile. The STIG was chosen because it is the standard security profile used by the DoD and often adopted by commercial enterprises.

The Shadow-Soft consulting team developed a compliance profile with associated meta profiles to represent the nine security levels of the RHEL 6 STIG.

After a thorough round of testing and validation to ensure it met security standards, the end product was a ready-to-go compliance profile for the RHEL 6 STIG.


Chef customers can now use this new product to run compliance scans on their environments and quickly report on the security posture of their systems. With this enhancement to Chef InSpec, customers can use Chef Automate and InSpec in more ways than ever.

Here are a few benefits to Chef’s end-customers:

  • CIOs can automatically check real time security posture for the entire fleet every fifteen minutes.
  • Information Assurance professionals can focus less on administrative tasks and more on their real job – stopping security threats.

Project deliverables:

  • Conversion of STIG SCAP Data to InSpec
  • Clean-up of the individual controls to adhere to Shadow-Soft best practices
  • Creation of meta profiles to represent the nine security levels of the STIG
  • Testing and validation of STIG profiles and meta profile inheritance
  • One compliance profile with associated meta profiles for the RHEL 6 STIG

“Security isn’t just a private sector problem; Chef recognizes that the federal space wants to use its product. With new features like STIG Compliance Profiles and FIPS mode, it shows Chef listens to customers and responds to their needs.”

– John Ray, Lead Consultant at Shadow-Soft

Ready to chat about Chef, InSpec, or Compliance Profiles?