Join our upcoming Office Hours: Future Proofing your Splunk Apps.Register here

 Validate the quality of Splunk apps and add-ons for Splunk Cloud Platform or Splunk Enterprise using Splunk AppInspect

During app development, you can validate the quality of your Splunk apps against a set of Splunk-defined criteria to determine whether your app is ready for production and meets a minimum level of quality.

To validate your apps, use Splunk AppInspect, which is the same tool that Splunk uses for the following purposes:

  • Cloud vetting, which is a mandatory validation process to ensure that Splunk apps are ready for installation in Splunk Cloud Platform. Cloud vetting ensures the security of the Splunk Cloud Platform environment and the security of the data stored in that environment.
  • Evaluating Splunkbase submissions.

You can also evaluate your apps before installing them in private Splunk Enterprise deployments, although passing Splunk AppInspect validation checks is not required in this case.

 How does Splunk AppInspect work?

When you run Splunk AppInspect, Splunk AppInspect performs validation checks on your Splunk app package against a set of standardized criteria to evaluate the app structure, features, security, and adherence to Splunk Cloud Platform requirements.

Splunk AppInspect generates a report that details the successes, warnings, and failures flagged by the checks. By using the results of this report, you can fix any issues in your app before you submit it for cloud vetting or for publication to Splunkbase.

 How do I use Splunk AppInspect?

To use Splunk AppInspect, get familiar with the following terms:

TermDescription
ChecksThe individual validations of structural or functional properties within a Splunk app. Each check encapsulates specific validation logic, focuses on a single responsibility, and is independent from other checks.
GroupsRelated sets of checks. For example, a group of checks might deal with validating a specific feature set.
TagsKeywords that identify what a check is used for during validation. For example, checks with the cloud tag are used for public apps' cloud vetting.
ResultsThe output that a check returns, including a result state such as error, failure, or success.

 Choose a Splunk AppInspect tool

You can use Splunk AppInspect as a web service and as a locally-installed tool, as follows:

ToolTypeDescriptionWhen to use
Splunk AppInspect APIWeb serviceA REST API that sends requests to a web service.
The Splunk AppInspect API performs dynamic analysis and runtime checks. The Splunk AppInspect API results are more accurate with higher quality.
When you want the best and most accurate results using the most current checks and features.
Splunk AppInspect CLILocal installationA standalone Python package that you install locally in your Linux, Mac, or Windows development environment. The Splunk AppInspect CLI might not include the latest checks and features and does not use dynamic analysis.When you want quick validation that doesn't require an Internet connection.
When you want the ability to write your own checks to run as part of the validation process.

Splunk AppInspect CLI is a subset of Splunk AppInspect API, therefore the latter might report different results for the same Splunk app.

 Validate an app using tags

You can have Splunk AppInspect validate your app against all checks, or you can use the folloiwng tags to generate a report that includes or excludes certain categories of checks:

  • To validate your app for specific uses, use the included-tags <TAG> option.
  • To exclude a category of checks from validation, use the excluded-tags <TAG> option.

The following tags are the most useful for validating your apps.

TagDescription
cloudDetermines whether an app can be uploaded to Splunkbase.
manualFlags issues that might require a manual review by the Splunk AppInspect team.
futureIdentifies warning checks that are scheduled to become cloud vetting failures. See What's new on the Splunk Developer Portal and Cloud Vetting Change Policy.
private_appUsed for the automated vetting flow for private apps for installation in Splunk Cloud Platform below v9.0.
private_classicUsed for the automated vetting flow for private apps for installation in Splunk Cloud Platform on Classic Experience.
private_victoriaUsed for the automated vetting flow for private apps for installation in Splunk Cloud Platform on Victoria Experience.
aarch64_compatibilityUsed to validate apps for AArch64-compatibility.

You can use tags individually or combined. For example, to validate a public app before uploading it to Splunkbase, include the cloud tag.

The following example shows how to include cloud tag using the Splunk AppInspect API:

curl https://appinspect.splunk.com/v1/app/validate
   -H "Authorization: Bearer <TOKEN>" \
   -H "Content-Type: multipart/form-data" \
   -F app_package=myapppackage.tgz \
   -F "included_tags=cloud"

The following example shows how to include cloud tag using the Splunk AppInspect CLI:

splunk-appinspect inspect myapppackage.tgz --included-tags cloud

For a complete list of tags, see the Splunk AppInspect tag reference.

 Understand the results of the Splunk AppInspect report

The result of each Splunk AppInspect check includes one of the following result states:

Result stateMeaningDescriptionResolution
EErrorA failure occurred within Splunk AppInspect.No resolution required, or the result output indicates how to fix the issue.
FFailureThe Splunk app violated some part of the Splunk AppInspect check.The result output indicates how to fix the issue.
MManual checkThe Splunk app uses functionality that must be manually reviewed for the purpose of cloud vetting by the Cloud Vetting team. See Vet apps and add-ons for Splunk Cloud Platform.The result output indicates that the app might have problematic functionality, but Splunk AppInspect cannot determine this automatically. Review the check's message to determine which issues to look for in your app.
N/ANot applicableThe feature being tested does not exist in the Splunk app and is ignored.The result output explains why the check is not applicable.
PPassThe feature being tested is present in the Splunk app, and the functionality adheres to the Splunk AppInspect criteria.No resolution required.
SkippedSkippedThe feature being tested is missing a resource that is needed to perform the check.The result output explains what must be included to enable Splunk AppInspect to check this feature.

 Common issues reported by Splunk AppInspect

The following table summarizes some of the most common issues reported by app validation.

Failure categorySolution
App manifestIf you're using an app manifest with the Packaging Toolkit, be sure to increment the version of your app in the manifest when you increment the version of your app in the app.conf file.
App packageMake sure your app package doesn't have hidden files. See Package apps for Splunk Cloud Platform or Splunk Enterprise.
App version numberUse semantic versioning with the major.minor.build format.
Binary filesMake sure that each of the binary files in your app have matching source code in the app package. Don't just link to public repositories.
CredentialsMake sure your app doesn't store authorization credentials in plain text.
File and directory accessMake sure the files in your app package don't have more file permissions than necessary.
Local filesDon't include local files such as /local/. or /metadata/local.meta in your app package.
Network communicationsCheck that all network communications are encrypted using SSL or TLS.
Python scriptsReview the Python scripts in your app package for any runtime errors or style issues.
Make sure to remove any HTTP calls that are not secure. Look for "http" and "urllib*", for example.
Remove any shell-related security vulnerabilities, such as shell injection.
Threading and multiprocessesCheck for the use of multiprocesses and verify the functions are safe. For example, check that they don't end processes created by other apps. Make sure the number of threads is less than 25.

For requirements and common failures during cloud vetting, see the following topics:

 Get help with Splunk AppInspect

Splunk AppInspect is not supported by Splunk. The Splunk AppInspect CLI is offered without warranty and according to the End User License Agreement (EULA) included with the download. The Splunk AppInspect service is maintained as a best effort, but has no explicit service level agreement.

However, you can get help with Splunk AppInspect in the following ways:

  • Reach out to us on Slack in the #appinspect channel.
  • Email the Splunk AppInspect team at appinspect@splunk.com with questions, comments, and feature requests.
  • Post questions about Splunk AppInspect on Splunk Answers using the "appinspect" tag.

 See also