What is Ship Shape?
Ship Shape is an open source, extensible configuration-as-code audit tool that provides a standard interface for DevOps and SecOps teams to define a compliance framework. Ship Shape then evaluates the policy against the target.. It also ensures potential breaches are visible so remediation can be prioritised.
View and download ShipShape on
Ship Shape started life as a series of bash scripts to verify compliance across the fleet. Bash was difficult to test, not very portable and was more difficult to manage and maintain.
Shipshape is written in Golang so it’s portable and extensible. Scripts no longer need to be distributed to validate compliance; instead a standard configuration file can be provided to support a common compliance framework.
How it works
Ship Shape allows SecOps teams to define a compliance framework using standard YAML configuration files. This framework can be shared between projects to provide a common set of compliance checks for many sites.
The tool is split into 3 phases:
- Collect
- Interrogate
- Output
The collect phase allows operators to define how to collect data from various sources, e.g. the database, the file system or any other number of supported methods.
Data is collected and then passed to the interrogation phase. During this phase operators define the compliance. These vary in complexity based on your requirements and can range from simple existence validation to complex regular expression matching. Each step in the interrogation will have an output that will determine if the collected inputs are valid for your definition.
Some check types in the interrogation phase support auto-remediation, which can allow operators to not just audit, but enforce policies.
Once the interrogation has completed, the data is passed to the output phase. The output phase supports a number of different destinations and formats that allow operators to easily integrate Ship Shape auditing into your standard workflows. For example, it supports a JUnit formatter that can be integrated easily in Gitlab CI/CD pipelines to provide a visual display of the results for end users.
Ship Shape and GovCMS
A robust security framework needs appropriate measures and controls in place to ensure systems operate in an expected manner. These measures include identification, auditing and prevention of accepted operating parameters with deployed workloads.
Salsa originally built Ship Shape to meet this need for GovCMS, Australia’s federal Drupal-based platform. Ship Shape allows Drupal projects to be secured against a domain-specific ruleset to ensure the security posture of the platform.
Part of the value proposition for the GovCMS SaaS platform is that Information Security Manual (ISM) controls are in place to verify the CMS application.
The problem space for a SaaS platform is flexibility vs control. The GovCMS team needs to ensure the platform operates in expected ways, and still provide flexibility so that agency teams and developers can deliver sites that meet their business requirements. This means that we need the ability to allow flexibility in a controlled way. We needed to ensure that the tooling used to validate standards can be executed in a number of ways to ensure developers can self-serve, reducing the burden on the platform support team.
Salsa and GovCMS needed a robust and scalable way to audit 100s of Drupal sites and report on their status daily, as well as run part of those tests in CI, and also provide a tool for developers to make sure the projects they were working on aligned with best practices and security measures.
The tool allows the GovCMS audit report to be output in a JUnit compatible format which can be slurped into Gitlab’s CI environment to present the information in a consumable way.
Ship Shape and Salsa
Salsa originally built Ship Shape to help ensure the security posture of the GovCMS platform. As an open source tool, our goal is for Ship Shape to be used widely, and not necessarily limited to Drupal-based projects.
