InSpec CLI

Use the InSpec CLI to run tests and audits against targets using local, SSH, WinRM, or Docker connections.

archive

Archive a profile to tar.gz (default) or zip

Syntax

This subcommand has the following syntax:

$ inspec archive PATH

Options

This subcommand has additional options:

  • --ignore-errors, --no-ignore-errors
    Ignore profile warnings.
  • -o, --output=OUTPUT
    Save the archive to a path
  • --overwrite, --no-overwrite
    Overwrite existing archive.
  • --profiles-path=PROFILES_PATH
    Folder which contains referenced profiles.
  • --tar, --no-tar
    Generates a tar.gz archive.
  • --vendor-cache=VENDOR_CACHE
    Use the given path for caching dependencies. (default: ~/.inspec/cache)
  • --zip, --no-zip
    Generates a zip archive.

check

Verify all tests at the specified path

Syntax

This subcommand has the following syntax:

$ inspec check PATH

Options

This subcommand has additional options:

  • --format=FORMAT

  • --profiles-path=PROFILES_PATH
    Folder which contains referenced profiles.

  • --vendor-cache=VENDOR_CACHE
    Use the given path for caching dependencies. (default: ~/.inspec/cache)

detect

Detect the target os

Syntax

This subcommand has the following syntax:

$ inspec detect

Options

This subcommand has additional options:

  • -b, --backend=BACKEND
    Choose a backend: local, ssh, winrm, docker.
  • --bastion-host=BASTION_HOST
    Specifies the bastion host if applicable
  • --bastion-port=BASTION_PORT
    Specifies the bastion port if applicable
  • --bastion-user=BASTION_USER
    Specifies the bastion user if applicable
  • --enable-password=ENABLE_PASSWORD
    Password for enable mode on Cisco IOS devices.
  • --format=FORMAT

  • --host=HOST
    Specify a remote host which is tested.

  • --insecure, --no-insecure
    Disable SSL verification on select targets

  • --json-config=JSON_CONFIG
    Read configuration from JSON file (- reads from stdin).

  • -i, --key-files=one two three
    Login key or certificate file for a remote scan.

  • --password=PASSWORD
    Login password for a remote scan, if required.

  • --path=PATH
    Login path to use when connecting to the target (WinRM).

  • -p, --port=N
    Specify the login port for a remote scan.

  • --proxy-command=PROXY_COMMAND
    Specifies the command to use to connect to the server

  • --self-signed, --no-self-signed
    Allow remote scans with self-signed certificates (WinRM).

  • --shell, --no-shell
    Run scans in a subshell. Only activates on Unix.

  • --shell-command=SHELL_COMMAND
    Specify a particular shell to use.

  • --shell-options=SHELL_OPTIONS
    Additional shell options.

  • --ssl, --no-ssl
    Use SSL for transport layer encryption (WinRM).

  • --sudo, --no-sudo
    Run scans with sudo. Only activates on Unix and non-root user.

  • --sudo-command=SUDO_COMMAND
    Alternate command for sudo.

  • --sudo-options=SUDO_OPTIONS
    Additional sudo options for a remote scan.

  • --sudo-password=SUDO_PASSWORD
    Specify a sudo password, if it is required.

  • -t, --target=TARGET
    Simple targeting option using URIs, e.g. ssh://user:pass@host:port

  • --target-id=TARGET_ID
    Provide a ID which will be included on reports

  • --user=USER
    The login user for a remote scan.

env

Output shell-appropriate completion configuration

Syntax

This subcommand has the following syntax:

$ inspec env

exec

Run all test files at the specified path.

Loads the given profile(s) and fetches their dependencies if needed. Then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate output. If all tests passed (no fails, no skips) exit code 0 is returned. If some tests skipped but none failed, exit code 101 is returned. If at least one test failed, exit code 100 is returned. If inspec failed for any other reason, exit code 1 is returned.

Syntax

This subcommand has the following syntax:

$ inspec exec PATHS

Options

This subcommand has additional options:

  • --attrs=one two three
    Load attributes file (experimental)
  • -b, --backend=BACKEND
    Choose a backend: local, ssh, winrm, docker.
  • --backend-cache, --no-backend-cache
    Allow caching for backend command output. (default: true)
  • --bastion-host=BASTION_HOST
    Specifies the bastion host if applicable
  • --bastion-port=BASTION_PORT
    Specifies the bastion port if applicable
  • --bastion-user=BASTION_USER
    Specifies the bastion user if applicable
  • --color, --no-color
    Use colors in output.
  • --controls=one two three
    A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
  • --create-lockfile, --no-create-lockfile
    Write out a lockfile based on this execution (unless one already exists)
  • --distinct-exit, --no-distinct-exit
    Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
  • --enable-password=ENABLE_PASSWORD
    Password for enable mode on Cisco IOS devices.
  • --host=HOST
    Specify a remote host which is tested.
  • --insecure, --no-insecure
    Disable SSL verification on select targets
  • --json-config=JSON_CONFIG
    Read configuration from JSON file (- reads from stdin).
  • -i, --key-files=one two three
    Login key or certificate file for a remote scan.
  • --password=PASSWORD
    Login password for a remote scan, if required.
  • --path=PATH
    Login path to use when connecting to the target (WinRM).
  • -p, --port=N
    Specify the login port for a remote scan.
  • --profiles-path=PROFILES_PATH
    Folder which contains referenced profiles.
  • --proxy-command=PROXY_COMMAND
    Specifies the command to use to connect to the server
  • --reporter=one two:/output/file/path
    Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml
  • --self-signed, --no-self-signed
    Allow remote scans with self-signed certificates (WinRM).
  • --shell, --no-shell
    Run scans in a subshell. Only activates on Unix.
  • --shell-command=SHELL_COMMAND
    Specify a particular shell to use.
  • --shell-options=SHELL_OPTIONS
    Additional shell options.
  • --show-progress, --no-show-progress
    Show progress while executing tests.
  • --ssl, --no-ssl
    Use SSL for transport layer encryption (WinRM).
  • --sudo, --no-sudo
    Run scans with sudo. Only activates on Unix and non-root user.
  • --sudo-command=SUDO_COMMAND
    Alternate command for sudo.
  • --sudo-options=SUDO_OPTIONS
    Additional sudo options for a remote scan.
  • --sudo-password=SUDO_PASSWORD
    Specify a sudo password, if it is required.
  • -t, --target=TARGET
    Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  • --target-id=TARGET_ID
    Provide a ID which will be included on reports
  • --user=USER
    The login user for a remote scan.
  • --vendor-cache=VENDOR_CACHE
    Use the given path for caching dependencies. (default: ~/.inspec/cache)

help

Describe available commands or one specific command

Syntax

This subcommand has the following syntax:

$ inspec help [COMMAND]

json

Read all tests in path and generate a json summary

Syntax

This subcommand has the following syntax:

$ inspec json PATH

Options

This subcommand has additional options:

  • --controls=one two three
    A list of controls to include. Ignore all other tests.
  • -o, --output=OUTPUT
    Save the created profile to a path
  • --profiles-path=PROFILES_PATH
    Folder which contains referenced profiles.
  • --vendor-cache=VENDOR_CACHE
    Use the given path for caching dependencies. (default: ~/.inspec/cache)

schema

Print the json schema

Syntax

This subcommand has the following syntax:

$ inspec schema NAME

shell

Open an interactive debugging shell

Syntax

This subcommand has the following syntax:

$ inspec shell

Options

This subcommand has additional options:

  • -b, --backend=BACKEND
    Choose a backend: local, ssh, winrm, docker.
  • --bastion-host=BASTION_HOST
    Specifies the bastion host if applicable
  • --bastion-port=BASTION_PORT
    Specifies the bastion port if applicable
  • --bastion-user=BASTION_USER
    Specifies the bastion user if applicable
  • -c, --command=COMMAND
    A single command string to run instead of launching the shell
  • --depends=one two three
    A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
  • --distinct-exit, --no-distinct-exit
    Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
  • --enable-password=ENABLE_PASSWORD
    Password for enable mode on Cisco IOS devices.
  • --host=HOST
    Specify a remote host which is tested.
  • --insecure, --no-insecure
    Disable SSL verification on select targets
  • --json-config=JSON_CONFIG
    Read configuration from JSON file (- reads from stdin).
  • -i, --key-files=one two three
    Login key or certificate file for a remote scan.
  • --password=PASSWORD
    Login password for a remote scan, if required.
  • --path=PATH
    Login path to use when connecting to the target (WinRM).
  • -p, --port=N
    Specify the login port for a remote scan.
  • --proxy-command=PROXY_COMMAND
    Specifies the command to use to connect to the server
  • --reporter=one two:/output/file/path
    Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
  • --self-signed, --no-self-signed
    Allow remote scans with self-signed certificates (WinRM).
  • --shell, --no-shell
    Run scans in a subshell. Only activates on Unix.
  • --shell-command=SHELL_COMMAND
    Specify a particular shell to use.
  • --shell-options=SHELL_OPTIONS
    Additional shell options.
  • --ssl, --no-ssl
    Use SSL for transport layer encryption (WinRM).
  • --sudo, --no-sudo
    Run scans with sudo. Only activates on Unix and non-root user.
  • --sudo-command=SUDO_COMMAND
    Alternate command for sudo.
  • --sudo-options=SUDO_OPTIONS
    Additional sudo options for a remote scan.
  • --sudo-password=SUDO_PASSWORD
    Specify a sudo password, if it is required.
  • -t, --target=TARGET
    Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  • --target-id=TARGET_ID
    Provide a ID which will be included on reports
  • --user=USER
    The login user for a remote scan.

supermarket

Supermarket commands

Syntax

This subcommand has the following syntax:

$ inspec supermarket SUBCOMMAND ...

vendor

Download all dependencies and generate a lockfile in a vendor directory

Syntax

This subcommand has the following syntax:

$ inspec vendor PATH

Options

This subcommand has additional options:

  • --overwrite, --no-overwrite
    Overwrite existing vendored dependencies and lockfile.

version

Prints the version of this tool

Syntax

This subcommand has the following syntax:

$ inspec version

Options

This subcommand has additional options:

  • --format=FORMAT