steampunk-spotter 3.3.0

Ansible Playbook Platform that scans, analyzes, enhances, and provides insights for your playbooks.

Steampunk Spotter Command-Line Interface (CLI)

Steampunk Spotter is an Ansible Playbook Platform that scans, analyzes, enhances, and provides insights for your playbooks.

The Steampunk Spotter CLI enables the use from the console with the ability to scan Ansible content such as playbooks, roles, collections, or task files.

The following instructions explain how to get started with the Steampunk Spotter CLI to scan Ansible content and get recommendations.

Installation

Steampunk Spotter CLI requires Python 3 and is available as a steampunk-spotter Python package.

$ pip install steampunk-spotter

We recommend installing the package into a clean Python virtual environment.

Usage

After the CLI is installed, you can explore its commands and options by running spotter --help. The --help/-h option is also available for every command.

Limitations

The current release version of Steampunk Spotter contains the following limitations that also apply to the CLI:

• with the FREE subscription plan, you can perform up to 100 scans/month,
• with the INDIVIDUAL, TEAM, or ENTERPRISE subscription plan you can perform an unlimited number of scans,
• for the ENTERPRISE subscription plan, contact us at steampunk@xlab.si to discuss your needs.

Authentication

To use CLI, you have to supply your Steampunk Spotter user account credentials. If you don't have an account, use spotter register command that will direct you to the page where you can create one.

Steampunk Spotter supports two kinds of credentials: 1) API token (can be generated in the user settings within the Spotter App), and 2) username and password.

• Use --token/-t global option to supply your token credential. Alternatively, set the SPOTTER_TOKEN environment variable to contain the API token.
• Use --username/-u and --password/-p global options to supply your username and password. Alternatively, set the SPOTTER_USERNAME and SPOTTER_PASSWORD environment variables.
• You can run spotter <options> login to persist your credentials in the Steampunk Spotter CLI's local storage, where <options> stand for one of the approaches described above.

After that, you can start scanning right away.

Scanning

The CLI spotter scan command is used for scanning Ansible content (playbooks, roles, collections, or task files) and returning the scan results.

Ansible content

The scan command will automatically detect the type of your Ansible content and scan it. Here are some examples of running scans:

# scan playbook
$ spotter scan path/to/playbook.yaml

# scan multiple files at once
$ spotter scan path/to/taskfile.yaml \
               path/to/playbook.yaml \
               path/to/role \
               path/to/collection

# scan any folder that contains Ansible content
$ spotter scan path/to/folder

Selecting the target project

This part is only relevant for users with a TEAM plan or higher.

By default, the scan results are stored in the first project of the user's first organization (in the app).

Users that have multiple organizations or projects in the app can use --project-id option to specify the UUID of an existing target project, where the scan result will be stored.

$ spotter scan --project-id <project-id> .

You can learn your project id by logging into the app, selecting the appropriate organization and navigating to the project's dashboard.

Excluding values

By default, CLI parses full Ansible YAML content with all values from playbooks (e.g., parameter values from Ansible modules, variables from Ansible plays, etc.). With values, we can discover additional tips for improvements. CLI will try to detect and omit any secrets (e.g., passwords, SSH keys, cloud credentials, etc.) from being transmitted. If you want to omit parsing and sending the values, you can use --exclude-values option.

$ spotter scan --exclude-values playbook.yaml

Excluding metadata

By default, CLI collects metadata (i.e., file names, line, and column numbers, YAML markers) from Ansible content. This is needed for enriched user experience in the Spotter App and to get additional tips for improvements. If you want to use metadata just for displaying the scan output, which means that no data about your Ansible content structure is sent to the backend server, you can use --exclude-metadata option.

$ spotter scan --exclude-metadata playbook.yaml

Automated application of suggestions to your code

There is also a --rewrite option that rewrites your files with fixes after scanning. This action will modify your files.

$ spotter scan --rewrite playbook.yaml

Next steps

For more comprehensive usage, issue spotter scan --help. Please refer to Steampunk Spotter Documentation for further instructions.

Acknowledgment

This tool was created by XLAB Steampunk, IT automation specialists and leading experts in building Enterprise Ansible Collections.