InSpec is compliance as code

Turn your compliance, security, and other policy requirements into automated tests.

Star
image of diamondimage of grid

Announcing InSpec 3.0

Plugin system, global attributes, enhanced skip messaging, and more.

core

New plugin system for InSpec CLI and Train

Enhanced "only_if" skip messaging

Unsupported profiles are now hidden from output

Attributes are now specified in inspec.yml

Text based severity (e.g. "impact 'low'" )

Tons of security/bug fixes and improvements

cloud

New Azure and GCP resources

Support for VMware ESXi via PowerCLI (Even on Linux!)


How InSpec works

Get started with InSpec in 3 simple steps


image of grid

1

write the test

Create simple Ruby-based tests to verify your expected state against the current state of your systems.

control 'example-1.0' do  impact 0.9  title 'Ensure login disabled'  desc 'An optional description...'  describe sshd_config do    its('PermitRootLogin') {      should_not cmp 'yes'    }  endend

2

run the test

Execute your test against your target system locally or remotely with one simple command.

$ inspec exec linux-baseline

3

See the results

See which tests failed, passed and skipped and the expected state against the current state of your target system, in one simple output.

Profile: InSpec Profile (example_profile)Version: 0.1.0Target:  local://
✔ example-1.0: Ensure root login is disabled via SSH ✔ SSHD Configuration PermitRootLogin should not cmp == "yes"
Profile Summary: 1 successful control, 0 control failures, 0 controls skippedTest Summary: 1 successful, 0 failures, 0 skipped

Features of InSpec

InSpec is compliance by design


image for InSpec platform support

Platform Agnostic

InSpec supports all major operating systems and is platform agnostic, allowing you the freedom to run compliance and security tests anywhere.

logos for Linux, Windows/Azure, Mac, Ubuntu, Docker container, AWS, VMware
image for InSpec remote and local testing

Test locally or remotely

InSpec provides a local agent for host-based assessments, as well as full remote testing support via SSH and WinRM.

logos for SSH and WinRM
image for InSpec freedom

Free to run anywhere

InSpec is an open-source language that can easily express compliance as code, with the freedom to run anywhere.

image for InSpec's extensible language

Extensible language

Easily extend the InSpec language to cover new operating systems, devices, or applications.

Transform your compliance and security requirements into simple code

Codify agreements

Combine profiles and customize them with overlays. Pick controls and define exceptions as code.

Add context to your tests

Utilize many fields like descriptions, tags, and impact.

Apply to all systems

Analyze everything using the same codified profiles and controls.

control 'sshd-21' do  title 'Set SSH Protocol to 2'  desc 'A detailed description'  impact 1.0 # This is critical ref 'compliance guide, section 2.1'  describe sshd_config do   its('Protocol') { should cmp 2 }  endend

Solve your infrastructure testing needs simply and efficiently

Test the desired state

Verify the current desired state of your apps and infrastructure according to the code you write.

HUMAN-READABLE CODE

Reduce friction by writing tests that are easy to understand by anyone.

Extensible

Create custom resources with ease and share them easily with others.

describe file('/etc/myapp.conf') do  it { should exist }  its('mode') { should cmp 0644 }end
describe apache_conf do its('Listen') { should cmp 8080 }end
describe port(8080) do it { should be_listening }end

Verify provisioning to cloud providers

Test AWS and Azure configuration

Verify all necessary settings of your favorite public cloud providers.

Test provisioners

InSpec can be used in combination with Cloudformation, Azure resource manager templates and Terraform.

Verify security configuration

Ensure that your cloud deployments are not open to malicious attacks due to misconfiguration.

describe aws_s3_bucket(bucket_name: 'my_secret_files') do  it { should exist }  it { should_not be_public }end
describe aws_iam_user(username: 'test_user') do it { should have_mfa_enabled } it { should_not have_console_password }end
image of scroll to top arrow