Validate the quality of Splunk apps and add-ons for Splunk Cloud Platform or Splunk Enterprise using Splunk AppInspect
- Validate the quality of Splunk apps and add-ons for Splunk Cloud Platform or Splunk Enterprise using Splunk AppInspect
- How does Splunk AppInspect work?
- How do I use Splunk AppInspect?
- Choose a Splunk AppInspect tool
- Validate an app using tags
- Understand the results of the Splunk AppInspect report
- Common issues reported by Splunk AppInspect
- Get help with Splunk AppInspect
- See also
During app development, you can validate the quality of your Splunk apps against a set of Splunk-defined criteria to determine whether your app is ready for production and meets a minimum level of quality.
To validate your apps, use Splunk AppInspect, which is the same tool that Splunk uses for the following purposes:
- Cloud vetting, which is a mandatory validation process to ensure that Splunk apps are ready for installation in Splunk Cloud Platform. Cloud vetting ensures the security of the Splunk Cloud Platform environment and the security of the data stored in that environment.
- Evaluating Splunkbase submissions.
You can also evaluate your apps before installing them in private Splunk Enterprise deployments, although passing Splunk AppInspect validation checks is not required in this case.
How does Splunk AppInspect work?
When you run Splunk AppInspect, Splunk AppInspect performs validation checks on your Splunk app package against a set of standardized criteria to evaluate the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
Splunk AppInspect generates a report that details the successes, warnings, and failures flagged by the checks. By using the results of this report, you can fix any issues in your app before you submit it for cloud vetting or for publication to Splunkbase.
How do I use Splunk AppInspect?
To use Splunk AppInspect, get familiar with the following terms:
| Term | Description |
|---|---|
| Checks | The individual validations of structural or functional properties within a Splunk app. Each check encapsulates specific validation logic, focuses on a single responsibility, and is independent from other checks. |
| Groups | Related sets of checks. For example, a group of checks might deal with validating a specific feature set. |
| Tags | Keywords that identify what a check is used for during validation. For example, checks with the cloud tag are used for public apps' cloud vetting. |
| Results | The output that a check returns, including a result state such as error, failure, or success. |
Choose a Splunk AppInspect tool
You can use Splunk AppInspect as a web service and as a locally-installed tool, as follows:
| Tool | Type | Description | When to use |
|---|---|---|---|
| Splunk AppInspect API | Web service | A REST API that sends requests to a web service. The Splunk AppInspect API performs dynamic analysis and runtime checks. The Splunk AppInspect API results are more accurate with higher quality. | When you want the best and most accurate results using the most current checks and features. |
| Splunk AppInspect CLI | Local installation | A standalone Python package that you install locally in your Linux, Mac, or Windows development environment. The Splunk AppInspect CLI might not include the latest checks and features and does not use dynamic analysis. | When you want quick validation that doesn't require an Internet connection. When you want the ability to write your own checks to run as part of the validation process. |
Splunk AppInspect CLI is a subset of Splunk AppInspect API, therefore the latter might report different results for the same Splunk app.
Validate an app using tags
You can have Splunk AppInspect validate your app against all checks, or you can use the folloiwng tags to generate a report that includes or excludes certain categories of checks:
- To validate your app for specific uses, use the
included-tags <TAG>option. - To exclude a category of checks from validation, use the
excluded-tags <TAG>option.
The following tags are the most useful for validating your apps.
| Tag | Description |
|---|---|
cloud | Determines whether an app can be uploaded to Splunkbase. |
manual | Flags issues that might require a manual review by the Splunk AppInspect team. |
future | Identifies warning checks that are scheduled to become cloud vetting failures. See What's new on the Splunk Developer Portal and Cloud Vetting Change Policy. |
private_app | Used for the automated vetting flow for private apps for installation in Splunk Cloud Platform below v9.0. |
private_classic | Used for the automated vetting flow for private apps for installation in Splunk Cloud Platform on Classic Experience. |
private_victoria | Used for the automated vetting flow for private apps for installation in Splunk Cloud Platform on Victoria Experience. |
aarch64_compatibility | Used to validate apps for AArch64-compatibility. |
You can use tags individually or combined. For example, to validate a public app before uploading it to Splunkbase, include the cloud tag.
The following example shows how to include cloud tag using the Splunk AppInspect API:
curl https://appinspect.splunk.com/v1/app/validate -H "Authorization: Bearer <TOKEN>" \ -H "Content-Type: multipart/form-data" \ -F app_package=myapppackage.tgz \ -F "included_tags=cloud"
The following example shows how to include cloud tag using the Splunk AppInspect CLI:
splunk-appinspect inspect myapppackage.tgz --included-tags cloud
For a complete list of tags, see the Splunk AppInspect tag reference.
Understand the results of the Splunk AppInspect report
The result of each Splunk AppInspect check includes one of the following result states:
| Result state | Meaning | Description | Resolution |
|---|---|---|---|
E | Error | A failure occurred within Splunk AppInspect. | No resolution required, or the result output indicates how to fix the issue. |
F | Failure | The Splunk app violated some part of the Splunk AppInspect check. | The result output indicates how to fix the issue. |
M | Manual check | The Splunk app uses functionality that must be manually reviewed for the purpose of cloud vetting by the Cloud Vetting team. See Vet apps and add-ons for Splunk Cloud Platform. | The result output indicates that the app might have problematic functionality, but Splunk AppInspect cannot determine this automatically. Review the check's message to determine which issues to look for in your app. |
N/A | Not applicable | The feature being tested does not exist in the Splunk app and is ignored. | The result output explains why the check is not applicable. |
P | Pass | The feature being tested is present in the Splunk app, and the functionality adheres to the Splunk AppInspect criteria. | No resolution required. |
Skipped | Skipped | The feature being tested is missing a resource that is needed to perform the check. | The result output explains what must be included to enable Splunk AppInspect to check this feature. |
Common issues reported by Splunk AppInspect
The following table summarizes some of the most common issues reported by app validation.
| Failure category | Solution |
|---|---|
| App manifest | If you're using an app manifest with the Packaging Toolkit, be sure to increment the version of your app in the manifest when you increment the version of your app in the app.conf file. |
| App package | Make sure your app package doesn't have hidden files. See Package apps for Splunk Cloud Platform or Splunk Enterprise. |
| App version number | Use semantic versioning with the major.minor.build format. |
| Binary files | Make sure that each of the binary files in your app have matching source code in the app package. Don't just link to public repositories. |
| Credentials | Make sure your app doesn't store authorization credentials in plain text. |
| File and directory access | Make sure the files in your app package don't have more file permissions than necessary. |
| Local files | Don't include local files such as /local/. or /metadata/local.meta in your app package. |
| Network communications | Check that all network communications are encrypted using SSL or TLS. |
| Python scripts | Review the Python scripts in your app package for any runtime errors or style issues. Make sure to remove any HTTP calls that are not secure. Look for "http" and "urllib*", for example. Remove any shell-related security vulnerabilities, such as shell injection. |
| Threading and multiprocesses | Check for the use of multiprocesses and verify the functions are safe. For example, check that they don't end processes created by other apps. Make sure the number of threads is less than 25. |
For requirements and common failures during cloud vetting, see the following topics:
- Development requirements for Splunk Cloud Platform
- Common failures during cloud vetting and preventive actions
Get help with Splunk AppInspect
Splunk AppInspect is not supported by Splunk. The Splunk AppInspect CLI is offered without warranty and according to the End User License Agreement (EULA) included with the download. The Splunk AppInspect service is maintained as a best effort, but has no explicit service level agreement.
However, you can get help with Splunk AppInspect in the following ways:
- Reach out to us on Slack in the #appinspect channel.
- Email the Splunk AppInspect team at appinspect@splunk.com with questions, comments, and feature requests.
- Post questions about Splunk AppInspect on Splunk Answers using the "appinspect" tag.