Skip to content
Test-Kitchen Plugin for InSpec
Ruby Shell
Branch: master
Clone or download
Chef Expeditor
Chef Expeditor Update CHANGELOG.md to reflect the promotion of 1.3.1
Obvious fix; these changes are the result of automation not creative thinking.
Latest commit 897344c Oct 30, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.expeditor Try to fix rubygems config Jun 6, 2019
.github Update README / CODEOWNERS for ORP (#230) May 14, 2019
bin Switch from Rubocop to Chefstyle and resolve all warnings Aug 23, 2016
lib/kitchen/verifier Bump version to 1.3.1 by Chef Expeditor Oct 28, 2019
spec Adjust inspec version up for Runner API option name Jun 6, 2019
test Re-arrange tests to be cleaner and match rename Jun 6, 2019
.gitignore Update to allow Test Kitchen 2.0 and InSpec 4.0 (#226) Mar 18, 2019
.rspec kitchen-audit - Auditing & Testing Framework Test Kitchen Verifier. Sep 28, 2015
.travis.yml Rename test values for clarity Jun 5, 2019
Berksfile Switch from Rubocop to Chefstyle and resolve all warnings Aug 23, 2016
CHANGELOG.md Update CHANGELOG.md to reflect the promotion of 1.3.1 Oct 30, 2019
CODE_OF_CONDUCT.md Add code of conduct and contributing doc Apr 6, 2019
CONTRIBUTING.md Add code of conduct and contributing doc Apr 6, 2019
Gemfile Require Ruby 2.3+ / InSpec 1.47+ and update dev deps (#221) Jan 23, 2019
Guardfile Switch from Rubocop to Chefstyle and resolve all warnings Aug 23, 2016
LICENSE Add Apache 2.0 license. Sep 28, 2015
MAINTAINERS.md Adding a maintainers file (#143) Aug 31, 2017
README.md Document input features Jun 5, 2019
Rakefile Require Ruby 2.3+ / InSpec 1.47+ and update dev deps (#221) Jan 23, 2019
VERSION Bump version to 1.3.1 by Chef Expeditor Oct 28, 2019
kitchen-inspec.gemspec Update to allow Test Kitchen 2.0 and InSpec 4.0 (#226) Mar 18, 2019
kitchen.yml Re-arrange tests to be cleaner and match rename Jun 6, 2019

README.md

Kitchen::InSpec - A Test Kitchen Verifier for InSpec

  • Project State: Active
  • Issues Response SLA: 3 business days
  • Pull Request Response SLA: 3 business days

For more information on project states and SLAs, see this documentation.

Build Status Master Gem Version

This is the kitchen driver for InSpec. To see the project in action, we have the following test-kitchen examples available:

Installation

Note: kitchen-inspec ships as part of ChefDK. Installation is not necessary for DK users.

Add this line to your application's Gemfile:

gem 'kitchen-inspec'

And then execute:

$ bundle

Or install it yourself as:

$ gem install kitchen-inspec

Usage

In your .kitchen.yml include

verifier:
  name: inspec

Optionally specify sudo and sudo_command

verifier:
  name: inspec
  sudo: true
  sudo_command: 'skittles'

You can also specify the host and port to be used by InSpec when targeting the node. Otherwise, it defaults to the hostname and port used by kitchen for converging.

verifier:
  name: inspec
  host: 192.168.56.40
  port: 22

Expected Directory Structure

By default kitchen-inspec expects test to be in test/integration/%suite% directory structure (we use Chef as provisioner here):

.
├── Berksfile
├── Gemfile
├── README.md
├── metadata.rb
├── recipes
│   ├── default.rb
│   └── nginx.rb
└── test
    └── integration
        └── default
            └── web_spec.rb

Directory Structure with complete profile

A complete profile is used here, including a custom InSpec resource named gordon_config:

.
├── Berksfile
├── Gemfile
├── README.md
├── metadata.rb
├── recipes
│   ├── default.rb
│   └── nginx.rb
└── test
    └── integration
        └── default
            ├── controls
            │   └── gordon.rb
            ├── inspec.yml
            └── libraries
                └── gordon_config.rb

Combination with other testing frameworks

If you need support with other testing frameworks, we recommend to place the tests in test/integration/%suite%/inspec:

.
├── Berksfile
├── Gemfile
├── README.md
├── metadata.rb
├── recipes
│   ├── default.rb
│   └── nginx.rb
└── test
    └── integration
        └── default
            └── inspec
                └── web_spec.rb

Specifying the Sudo Command

You can enable/disable sudo and set your own custom sudo command.

verifier:
  name: inspec
  sudo: true
  sudo_command: 'skittles'

Custom Host Settings

You can also specify the host, port, and proxy settings to be used by InSpec when targeting the node. Otherwise, it defaults to the hostname and port used by kitchen for converging.

verifier:
  name: inspec
  host: 192.168.56.40
  port: 22
  proxy_command: ssh user@1.2.3.4 -W %h:%p

Custom Outputs

If you want to customize the output file per platform or test suite you can use template format for your output variable. Current flags supported:

  • %{platform}
  • %{suite}
verifier:
  name: inspec
  reporter:
    - cli
    - junit:path/to/results/%{platform}_%{suite}_inspec.xml

You can also decide to only run specific controls, instead of a full profile. This is done by specifying a list of controls:

suites:
  - name: supermarket
    run_list:
      - recipe[apt]
      - recipe[ssh-hardening]
    verifier:
      inspec_tests:
        - name: dev-sec/ssh-baseline
      controls:
        - sshd-46
    ...

Use remote InSpec profiles

In case you want to reuse tests across multiple cookbooks, they should become an extra artifact independent of a Chef cookbook, called InSpec profiles. Those can be easily added to existing local tests as demonstrated in previous sections. To include remote profiles, adapt the verifier attributes in .kitchen.yml

suites:
  - name: default
    verifier:
      inspec_tests:
        - name: ssh-hardening
          url: https://github.com/dev-sec/tests-ssh-hardening

inspec_tests accepts all values that inspec exec profile would expect. We support:

  • local directory eg. path: /path/to/profile
  • github url git: https://github.com/dev-sec/tests-ssh-hardening.git
  • Chef Supermarket name: hardening/ssh-hardening # defaults to supermarket (list all available profiles with inspec supermarket profiles)
  • Chef Compliance name: ssh compliance: base/ssh

The following example illustrates the usage in a .kitchen.yml

suites:
  - name: contains_inspec
    run_list:
      - recipe[apt]
      - recipe[yum]
      - recipe[ssh-hardening]
      - recipe[os-hardening]
    verifier:
      inspec_tests:
        - path: path/to/some/local/tests
        - name: ssh-hardening
          url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
        - name: os-hardening
          git: https://github.com/dev-sec/tests-os-hardening.git
  - name: supermarket
    run_list:
      - recipe[apt]
      - recipe[yum]
      - recipe[ssh-hardening]
    verifier:
      inspec_tests:
        - name: hardening/ssh-hardening  # name only defaults to supermarket
        - name: ssh-supermarket  # alternatively, you can explicitly specify that the profile is from supermarket in this way
          supermarket: hardening/ssh-hardening
          supermarket_url: http://supermarket.example.com
  # before you are able to use the compliance plugin, you need to run
  # insecure is only required if you use self-signed certificates
  # $ inspec compliance login https://compliance.test --user admin --insecure --token ''
  - name: compliance
    run_list:
      - recipe[apt]
      - recipe[yum]
      - recipe[ssh-hardening]
    verifier:
      inspec_tests:
        - name: ssh
          compliance: base/ssh

Use inputs with your inspec profiles

Note: InSpec Inputs were formerly known as InSpec Attributes. As they are not related to Chef Attributes, they have been renamed to reduce confusion.

To run a profile with inputs defined inline, you can adapt your .kitchen.yml:

    verifier:
      inspec_tests:
        - path: test/integration/attributes
      inputs:
        user: bob
        password: secret

You can also define your inputs in external files. Adapt your .kitchen.yml to point to those files:

    verifier:
      inspec_tests:
        - path: test/integration/attributes
      input_files:
        - test/integration/profile-attribute.yml

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/inspec/kitchen-inspec.

License

Apache 2.0 (see LICENSE)

You can’t perform that action at this time.