Introducing the Chainguard cinc-auditor image: STIG scanning for Chainguard Containers, ready to run

Chainguard is releasing a container image for cinc-auditor, the open source InSpec-compatible compliance scanner, that includes our GPOS SRG InSpec profile out of the box. Developed in collaboration with Anchore, who tested the profile end-to-end against Anchore Enterprise to ensure it works in production compliance pipelines. The image gives customers a single, ready-to-run tool for STIG scanning Chainguard Containers, with no separate profile installation or dependency setup required. Customers can now run STIG compliance scans against Chainguard Containers with a single image, eliminating the need for separate profile installation or dependency setup.

The scanner ecosystem has moved to InSpec

For teams in federal and regulated environments, STIG compliance scanning is a given. The only question is which tool to use.

The compliance ecosystem has been migrating toward InSpec-based scanning, which allows checks to run externally against a target container image without requiring any tooling to be embedded in the image. That is a practical advantage that helps you scale, since you do not need to modify the image under test or install a scanning agent in every container in your fleet.

Chainguard has long published an XCCDF-format SRG profile for our images. XCCDF is the established standard and is not going anywhere, but it requires OpenSCAP to be installed inside the target container, which adds tooling to images that otherwise have no such dependency. For customers already using InSpec-based scanners, such as Anchore Enterprise, the XCCDF profile created a mismatch with their existing pipeline.

One customer wanted InSpec-based STIG scanning for Chainguard Containers badly enough that they built the profile themselves, open-sourced it under the Apache 2.0 license, and contributed it back to us. That kind of contribution deserves a first-class answer, so we adopted the profile, validated it, and are now shipping it as an officially maintained Chainguard product available to all customers — the cinc-auditor image, a ready-to-run scanner that ships the profile pre-baked in.

What we are shipping

The Chainguard cinc-auditor image is available at cgr.dev/chainguard-private/cinc-auditor:latest. It contains:

• cinc-auditor built from source, with a train 3.14.1 fix we developed and contributed upstream. The upstream cinc-auditor 7.0.95 binary shipped with a broken train gem dependency that caused silent scan failures; the fix has since been incorporated upstream, and our image includes it.

• The Chainguard GPOS SRG InSpec profile pre-baked in. No profile download or configuration step is required. The image is ready to scan.

• Wrapper scripts in the chainguard-inspec repo that invoke the image across multiple scan modes and output JSON and HTML reports.

The profile is derived from an Apache 2.0-licensed proof-of-concept and has been validated against a representative set of Chainguard Containers. It is maintained by our Product Security team on the same quarterly cadence as the DISA GPOS SRG updates.

Scan modes

The wrapper scripts support four scanning approaches, each suited to different environments and workflows:

• Filesystem reconstruction: Unpacks a container image and scans the resulting filesystem

• Live container via procfs: Scans a running container through the process filesystem

• Live overlay2 filesystem: Scans against the container's overlay2 storage layer

• Docker transport backend: Uses InSpec's native Docker transport to scan containers directly

Teams can choose the mode that fits their pipeline. The output format is consistent across modes.

Known limitations

cinc-auditor has two behaviors worth knowing before you use it at scale.

Shell-less, minimal Chainguard Containers can be tricky for cinc-auditor because InSpec expects certain system utilities to be present in the target image. Many file and directory checks rely on stat; images without coreutils may see those checks fail incorrectly rather than skip. This is a property of how InSpec handles BusyBox's stat, not a bug in the image. The current workaround when using Docker transport is to bind-mount BusyBox so the required utilities are available. For filesystem inspection modes, host-based tooling is used instead, so this limitation does not apply.

Second, there are subtle differences between the XCCDF STIG profile and the InSpec profile. InSpec is a fully programmable framework that supports more nuanced validation logic than XCCDF allows, which means some checks behave differently across the two formats. Both profiles will be maintained, and they complement each other.

The XCCDF profile remains the standard for RHEL, Ubuntu, and traditional SCAP tooling environments. The InSpec profile is the right choice for teams already using InSpec-based scanners.

Integration with Anchore Enterprise

The cinc-auditor image is launching with immediate consumption by Anchore. A Chainguard customer using Anchore Enterprise as part of their FedRAMP compliance workflow has been testing this image in private preview, and the integration has been proven from day one.

Customers using Anchore Enterprise, which supports InSpec profiles exclusively, can now point their scanner at the official Chainguard profile. They no longer need to build and maintain their own, nor wait for a third party to publish updates when the GPOS SRG changes.

Getting started

The image is available at cgr.dev/chainguard/cinc-auditor:latest. Wrapper scripts and usage documentation are in the chainguard-inspec repository at github.com/chainguard-dev/chainguard-inspec.

For questions, reach out at support.chainguard.dev.