inspec-core 4.26.4 → 4.31.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/lib/inspec/base_cli.rb +7 -0
- data/lib/inspec/cli.rb +17 -0
- data/lib/inspec/control_eval_context.rb +29 -3
- data/lib/inspec/fetcher/git.rb +16 -2
- data/lib/inspec/input_registry.rb +1 -0
- data/lib/inspec/profile.rb +11 -15
- data/lib/inspec/profile_context.rb +3 -0
- data/lib/inspec/reporters/cli.rb +1 -1
- data/lib/inspec/reporters/json.rb +6 -1
- data/lib/inspec/reporters/json_automate.rb +1 -1
- data/lib/inspec/resources/apt.rb +1 -1
- data/lib/inspec/resources/auditd_conf.rb +2 -0
- data/lib/inspec/resources/command.rb +20 -1
- data/lib/inspec/resources/crontab.rb +8 -2
- data/lib/inspec/resources/ssh_config.rb +1 -1
- data/lib/inspec/runner_rspec.rb +1 -1
- data/lib/inspec/utils/filter.rb +8 -2
- data/lib/inspec/utils/run_data_filters.rb +9 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +10 -10
- data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb +3 -3
- data/lib/plugins/inspec-init/templates/profiles/aws/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +2 -3
- data/lib/plugins/inspec-init/templates/profiles/gcp/README.md +7 -7
- data/lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/gcp/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml +3 -4
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3b69fe894c5d6e3a8f5d02c18a283cf198bba2f903a2a3f7e8e03fc6cc4b80ad
|
4
|
+
data.tar.gz: da6d87aa551f2ca4f35ed1a827e1454dec479ca7776ba51a179b7c80b80b6721
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3b5cffcda4cf2942bdf9c96bad907b404e11230a3ac4c93436274dce20a878533e6ed1fef929260e8cbad332409e4bc234c2ca77ea039f044a60545974500f9f
|
7
|
+
data.tar.gz: 8ba3b1a3c08345f647f239c3a26c8257a1830b1407c4ae6fa3e36745e57eb31a197a753b147a02f19164d8b3c9776fb7d9e4fea05ad224aaa6ab19764b8bf334
|
data/Gemfile
CHANGED
@@ -28,10 +28,10 @@ group :omnibus do
|
|
28
28
|
end
|
29
29
|
|
30
30
|
group :test do
|
31
|
-
gem "chefstyle", "~> 1.
|
31
|
+
gem "chefstyle", "~> 1.7.1"
|
32
32
|
gem "concurrent-ruby", "~> 1.0"
|
33
33
|
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
|
34
|
-
gem "json_schemer", ">= 0.2.1", "< 0.2.
|
34
|
+
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
|
35
35
|
gem "m"
|
36
36
|
gem "minitest-sprint", "~> 1.0"
|
37
37
|
gem "minitest", "~> 5.5"
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -120,6 +120,8 @@ module Inspec
|
|
120
120
|
desc: "Provide a ID which will be included on reports"
|
121
121
|
option :winrm_shell_type, type: :string, default: "powershell",
|
122
122
|
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
|
123
|
+
option :docker_url, type: :string,
|
124
|
+
desc: "Provides path to Docker API endpoint (Docker)"
|
123
125
|
end
|
124
126
|
|
125
127
|
def self.profile_options
|
@@ -164,6 +166,11 @@ module Inspec
|
|
164
166
|
desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
|
165
167
|
option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
|
166
168
|
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
|
169
|
+
option :filter_empty_profiles, type: :boolean, default: false,
|
170
|
+
desc: "Filter empty profiles (profiles without controls) from the report."
|
171
|
+
option :command_timeout, type: :numeric, default: 3600,
|
172
|
+
desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
|
173
|
+
long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
|
167
174
|
end
|
168
175
|
|
169
176
|
def self.help(*args)
|
data/lib/inspec/cli.rb
CHANGED
@@ -321,6 +321,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
321
321
|
desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
|
322
322
|
option :distinct_exit, type: :boolean, default: true,
|
323
323
|
desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures."
|
324
|
+
option :command_timeout, type: :numeric, default: 3600,
|
325
|
+
desc: "Maximum seconds to allow a command to run. Default 3600.",
|
326
|
+
long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error."
|
324
327
|
option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
|
325
328
|
def shell_func
|
326
329
|
o = config
|
@@ -395,6 +398,20 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
395
398
|
end
|
396
399
|
map %w{-v --version} => :version
|
397
400
|
|
401
|
+
desc "clear_cache", "clears the InSpec cache. Useful for debugging."
|
402
|
+
option :vendor_cache, type: :string,
|
403
|
+
desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
|
404
|
+
def clear_cache
|
405
|
+
o = config
|
406
|
+
configure_logger(o)
|
407
|
+
cache_path = o[:vendor_cache] || "~/.inspec/cache"
|
408
|
+
FileUtils.rm_r Dir.glob(File.expand_path(cache_path))
|
409
|
+
|
410
|
+
o[:logger] = Logger.new($stdout)
|
411
|
+
o[:logger].level = get_log_level(o[:log_level])
|
412
|
+
o[:logger].info "== InSpec cache cleared successfully =="
|
413
|
+
end
|
414
|
+
|
398
415
|
private
|
399
416
|
|
400
417
|
def run_command(opts)
|
@@ -53,8 +53,9 @@ module Inspec
|
|
53
53
|
|
54
54
|
def control(id, opts = {}, &block)
|
55
55
|
opts[:skip_only_if_eval] = @skip_only_if_eval
|
56
|
-
|
57
|
-
|
56
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
57
|
+
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
|
58
|
+
end
|
58
59
|
end
|
59
60
|
alias rule control
|
60
61
|
|
@@ -68,10 +69,14 @@ module Inspec
|
|
68
69
|
id = "(generated from #{loc} #{SecureRandom.hex})"
|
69
70
|
|
70
71
|
res = nil
|
72
|
+
|
71
73
|
rule = Inspec::Rule.new(id, profile_id, resources_dsl, {}) do
|
72
74
|
res = describe(*args, &block)
|
73
75
|
end
|
74
|
-
|
76
|
+
|
77
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
78
|
+
register_control(rule, &block)
|
79
|
+
end
|
75
80
|
|
76
81
|
res
|
77
82
|
end
|
@@ -176,5 +181,26 @@ module Inspec
|
|
176
181
|
"#{File.basename(path)}:#{line}"
|
177
182
|
end
|
178
183
|
end
|
184
|
+
|
185
|
+
# Returns true if configuration hash is not empty and it contains the list of controls is not empty
|
186
|
+
def profile_config_exist?
|
187
|
+
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
|
188
|
+
end
|
189
|
+
|
190
|
+
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
|
191
|
+
def controls_list_empty?
|
192
|
+
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
|
193
|
+
end
|
194
|
+
|
195
|
+
# Check if the given control exist in the --controls option
|
196
|
+
def control_exist_in_controls_list?(id)
|
197
|
+
if profile_config_exist?
|
198
|
+
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
|
199
|
+
# Try to see if the inclusion is a regex, and if it matches
|
200
|
+
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
201
|
+
end
|
202
|
+
end
|
203
|
+
id_exist_in_list
|
204
|
+
end
|
179
205
|
end
|
180
206
|
end
|
data/lib/inspec/fetcher/git.rb
CHANGED
@@ -62,7 +62,6 @@ module Inspec::Fetcher
|
|
62
62
|
def fetch(destination_path)
|
63
63
|
@repo_directory = destination_path # Might be the cache, or vendoring, or something else
|
64
64
|
FileUtils.mkdir_p(destination_path) unless Dir.exist?(destination_path)
|
65
|
-
|
66
65
|
if cloned?
|
67
66
|
checkout
|
68
67
|
else
|
@@ -126,10 +125,25 @@ module Inspec::Fetcher
|
|
126
125
|
elsif @tag
|
127
126
|
resolve_ref(@tag)
|
128
127
|
else
|
129
|
-
resolve_ref(
|
128
|
+
resolve_ref(default_ref)
|
130
129
|
end
|
131
130
|
end
|
132
131
|
|
132
|
+
def default_ref
|
133
|
+
command_string = "git remote show #{@remote_url}"
|
134
|
+
cmd = shellout(command_string)
|
135
|
+
unless cmd.exitstatus == 0
|
136
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
|
137
|
+
else
|
138
|
+
ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
|
139
|
+
unless ref
|
140
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
|
141
|
+
end
|
142
|
+
|
143
|
+
ref
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
133
147
|
def resolve_ref(ref_name)
|
134
148
|
command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
|
135
149
|
cmd = shellout(command_string)
|
@@ -82,6 +82,7 @@ module Inspec
|
|
82
82
|
def find_or_register_input(input_name, profile_name, options = {})
|
83
83
|
input_name = input_name.to_s
|
84
84
|
profile_name = profile_name.to_s
|
85
|
+
options[:event].value = Thor::CoreExt::HashWithIndifferentAccess.new(options[:event].value) if options[:event]&.value.is_a?(Hash)
|
85
86
|
|
86
87
|
if profile_alias?(profile_name) && !profile_aliases[profile_name].nil?
|
87
88
|
alias_name = profile_name
|
data/lib/inspec/profile.rb
CHANGED
@@ -225,14 +225,17 @@ module Inspec
|
|
225
225
|
end
|
226
226
|
@tests_collected = true
|
227
227
|
end
|
228
|
-
|
228
|
+
@runner_context.all_rules
|
229
229
|
end
|
230
230
|
|
231
|
-
|
232
|
-
|
231
|
+
# This creates the list of controls provided in the --controls options which need to be include
|
232
|
+
# for evaluation.
|
233
|
+
def include_controls_list
|
234
|
+
return [] if @controls.nil? || @controls.empty?
|
233
235
|
|
236
|
+
included_controls = @controls
|
234
237
|
# Check for anything that might be a regex in the list, and make it official
|
235
|
-
|
238
|
+
included_controls.each_with_index do |inclusion, index|
|
236
239
|
next if inclusion.is_a?(Regexp)
|
237
240
|
# Insist the user wrap the regex in slashes to demarcate it as a regex
|
238
241
|
next unless inclusion.start_with?("/") && inclusion.end_with?("/")
|
@@ -240,21 +243,14 @@ module Inspec
|
|
240
243
|
inclusion = inclusion[1..-2] # Trim slashes
|
241
244
|
begin
|
242
245
|
re = Regexp.new(inclusion)
|
243
|
-
|
246
|
+
included_controls[index] = re
|
244
247
|
rescue RegexpError => e
|
245
248
|
warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
|
246
|
-
|
247
|
-
end
|
248
|
-
end
|
249
|
-
include_list.compact!
|
250
|
-
|
251
|
-
controls_array.select do |c|
|
252
|
-
id = ::Inspec::Rule.rule_id(c)
|
253
|
-
include_list.any? do |inclusion|
|
254
|
-
# Try to see if the inclusion is a regex, and if it matches
|
255
|
-
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
249
|
+
included_controls[index] = nil
|
256
250
|
end
|
257
251
|
end
|
252
|
+
included_controls.compact!
|
253
|
+
included_controls
|
258
254
|
end
|
259
255
|
|
260
256
|
def load_libraries
|
data/lib/inspec/reporters/cli.rb
CHANGED
@@ -8,7 +8,7 @@ module Inspec::Reporters
|
|
8
8
|
end
|
9
9
|
|
10
10
|
def report
|
11
|
-
{
|
11
|
+
output = {
|
12
12
|
platform: platform,
|
13
13
|
profiles: profiles,
|
14
14
|
statistics: {
|
@@ -16,6 +16,11 @@ module Inspec::Reporters
|
|
16
16
|
},
|
17
17
|
version: run_data[:version],
|
18
18
|
}
|
19
|
+
|
20
|
+
%w{passthrough}.each do |option|
|
21
|
+
output[option.to_sym] = @config[option] unless @config[option].nil?
|
22
|
+
end
|
23
|
+
output
|
19
24
|
end
|
20
25
|
|
21
26
|
private
|
@@ -24,7 +24,7 @@ module Inspec::Reporters
|
|
24
24
|
version: run_data[:version],
|
25
25
|
}
|
26
26
|
|
27
|
-
# optional
|
27
|
+
# optional jsonconfig passthrough options
|
28
28
|
%w{node_name environment roles job_uuid passthrough}.each do |option|
|
29
29
|
output[option.to_sym] = @config[option] unless @config[option].nil?
|
30
30
|
end
|
data/lib/inspec/resources/apt.rb
CHANGED
@@ -78,7 +78,7 @@ module Inspec::Resources
|
|
78
78
|
return @repo_cache if defined?(@repo_cache)
|
79
79
|
|
80
80
|
# load all lists
|
81
|
-
cmd = inspec.command("find /etc/apt/ -name
|
81
|
+
cmd = inspec.command("find /etc/apt/ -name \"*.list\" -exec sh -c 'cat {} || echo -n' \\;")
|
82
82
|
|
83
83
|
# @see https://help.ubuntu.com/community/Repositories/CommandLine#Explanation_of_the_Repository_Format
|
84
84
|
@repo_cache = cmd.stdout.lines.map do |raw_line|
|
@@ -32,6 +32,17 @@ module Inspec::Resources
|
|
32
32
|
|
33
33
|
@command = cmd
|
34
34
|
|
35
|
+
cli_timeout = Inspec::Config.cached["command_timeout"].to_i
|
36
|
+
# Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default,
|
37
|
+
# but that may not be loaded for kitchen-inspec and other pure gem consumers
|
38
|
+
default_cli_timeout = 3600
|
39
|
+
cli_timeout = default_cli_timeout if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value
|
40
|
+
if cli_timeout != default_cli_timeout
|
41
|
+
@timeout = cli_timeout
|
42
|
+
else
|
43
|
+
@timeout = options[:timeout]&.to_i || default_cli_timeout
|
44
|
+
end
|
45
|
+
|
35
46
|
if options[:redact_regex]
|
36
47
|
unless options[:redact_regex].is_a?(Regexp)
|
37
48
|
# Make sure command is replaced so sensitive output isn't shown
|
@@ -44,7 +55,15 @@ module Inspec::Resources
|
|
44
55
|
end
|
45
56
|
|
46
57
|
def result
|
47
|
-
@result ||=
|
58
|
+
@result ||= begin
|
59
|
+
inspec.backend.run_command(@command, timeout: @timeout)
|
60
|
+
rescue Train::CommandTimeoutReached
|
61
|
+
# Without a small sleep, the train connection gets broken
|
62
|
+
# We've already timed out, so a small sleep is not likely to be painful here.
|
63
|
+
sleep 0.1
|
64
|
+
raise Inspec::Exceptions::ResourceFailed,
|
65
|
+
"Command `#{@command}` timed out after #{@timeout} seconds"
|
66
|
+
end
|
48
67
|
end
|
49
68
|
|
50
69
|
def stdout
|
@@ -67,8 +67,14 @@ module Inspec::Resources
|
|
67
67
|
end
|
68
68
|
|
69
69
|
def crontab_cmd
|
70
|
-
|
71
|
-
|
70
|
+
if @user.nil?
|
71
|
+
"crontab -l"
|
72
|
+
elsif inspec.os.aix?
|
73
|
+
"crontab -l #{@user}"
|
74
|
+
else
|
75
|
+
# TODO: the -u scenario needs to be able to do sudo
|
76
|
+
"crontab -l -u #{@user}"
|
77
|
+
end
|
72
78
|
end
|
73
79
|
|
74
80
|
filter = FilterTable.create
|
data/lib/inspec/runner_rspec.rb
CHANGED
@@ -5,7 +5,7 @@ require "matchers/matchers"
|
|
5
5
|
require "inspec/rspec_extensions"
|
6
6
|
|
7
7
|
# There be dragons!! Or borgs, or something...
|
8
|
-
# This file and all its contents cannot be unit-tested. both test-
|
8
|
+
# This file and all its contents cannot be unit-tested. both test-suites
|
9
9
|
# collide and disable all unit tests that have been added.
|
10
10
|
|
11
11
|
module Inspec
|
data/lib/inspec/utils/filter.rb
CHANGED
@@ -36,14 +36,20 @@ module FilterTable
|
|
36
36
|
# RSpec will check the object returned to see if it responds to a method
|
37
37
|
# before calling it. We need to fake it out and tell it that it does. This
|
38
38
|
# allows it to skip past that check and fall through to #method_missing
|
39
|
-
def respond_to?(_method)
|
39
|
+
def respond_to?(_method, include_all = false)
|
40
40
|
true
|
41
41
|
end
|
42
42
|
|
43
43
|
def to_s
|
44
|
-
@original_resource.
|
44
|
+
"#{@original_resource} (#{@original_exception.message})"
|
45
45
|
end
|
46
46
|
alias inspect to_s
|
47
|
+
|
48
|
+
# Rspec is not able to convert FilterTable::ExceptionCatcher issue https://github.com/inspec/inspec/issues/5369
|
49
|
+
# which result into not showing actual exception message this allows to convert it properly.
|
50
|
+
def to_ary
|
51
|
+
[ to_s ]
|
52
|
+
end
|
47
53
|
end
|
48
54
|
|
49
55
|
class Trace
|
@@ -13,6 +13,7 @@ module Inspec
|
|
13
13
|
def apply_run_data_filters_to_hash
|
14
14
|
@config[:runtime_config] = Inspec::Config.cached || {}
|
15
15
|
apply_report_resize_options
|
16
|
+
filter_empty_profiles
|
16
17
|
redact_sensitive_inputs
|
17
18
|
suppress_diff_output
|
18
19
|
sort_controls
|
@@ -36,6 +37,14 @@ module Inspec
|
|
36
37
|
end
|
37
38
|
end
|
38
39
|
|
40
|
+
# Filters profiles from report which don't have controls in it.
|
41
|
+
def filter_empty_profiles
|
42
|
+
runtime_config = @config[:runtime_config]
|
43
|
+
if runtime_config[:filter_empty_profiles] && @run_data[:profiles].count > 1
|
44
|
+
@run_data[:profiles].delete_if { |p| p[:controls].empty? }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
39
48
|
# Find any inputs with :sensitive = true and replace their values with "***"
|
40
49
|
def redact_sensitive_inputs
|
41
50
|
@run_data[:profiles]&.each do |p|
|
data/lib/inspec/version.rb
CHANGED
data/lib/matchers/matchers.rb
CHANGED
@@ -287,7 +287,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
|
|
287
287
|
end
|
288
288
|
|
289
289
|
def format_actual(actual)
|
290
|
-
actual = "0%o" % actual if octal?(@expected)
|
290
|
+
actual = "0%o" % actual if octal?(@expected) && !actual.nil?
|
291
291
|
"\n%s\n got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
|
292
292
|
end
|
293
293
|
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for AWS.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform aws my-profile
|
@@ -15,12 +15,12 @@ Creating new profile at /Users/spaterson/my-profile
|
|
15
15
|
• Creating directory controls
|
16
16
|
• Creating file controls/example.rb
|
17
17
|
• Creating file inspec.yml
|
18
|
-
• Creating file
|
18
|
+
• Creating file inputs.yml
|
19
19
|
• Creating file libraries/.gitkeep
|
20
|
-
|
20
|
+
|
21
21
|
```
|
22
22
|
|
23
|
-
## Optionally update `
|
23
|
+
## Optionally update `inputs.yml` to point to your custom VPC
|
24
24
|
|
25
25
|
```
|
26
26
|
aws_vpc_id: 'custom-vpc-id'
|
@@ -32,11 +32,11 @@ The related control will simply be skipped if this is not provided. See the [In
|
|
32
32
|
|
33
33
|
### With a VPC Identifier
|
34
34
|
|
35
|
-
With a supplied VPC identifier in `
|
35
|
+
With a supplied VPC identifier in `inputs.yml` both of the example controls will run. The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
|
36
36
|
|
37
37
|
```
|
38
38
|
$ cd my-profile/
|
39
|
-
$ inspec exec . -t aws:// --
|
39
|
+
$ inspec exec . -t aws:// --input-file=inputs.yml
|
40
40
|
|
41
41
|
Profile: AWS InSpec Profile (my-profile)
|
42
42
|
Version: 0.1.0
|
@@ -111,13 +111,13 @@ Test Summary: 53 successful, 0 failures, 0 skipped
|
|
111
111
|
```
|
112
112
|
|
113
113
|
|
114
|
-
### Without Supplying a VPC Identifier
|
114
|
+
### Without Supplying a VPC Identifier
|
115
115
|
|
116
|
-
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `
|
116
|
+
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `inputs.yml` file does not have to be specified to InSpec in this case.
|
117
117
|
|
118
118
|
```
|
119
119
|
$ cd my-profile/
|
120
|
-
$ inspec exec . -t aws://
|
120
|
+
$ inspec exec . -t aws://
|
121
121
|
|
122
122
|
Profile: AWS InSpec Profile (my-profile)
|
123
123
|
Version: 0.1.0
|
@@ -189,4 +189,4 @@ Target: aws://eu-west-2
|
|
189
189
|
|
190
190
|
Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
|
191
191
|
Test Summary: 52 successful, 0 failures, 1 skipped
|
192
|
-
```
|
192
|
+
```
|
@@ -2,11 +2,11 @@
|
|
2
2
|
|
3
3
|
title "Sample Section"
|
4
4
|
|
5
|
-
aws_vpc_id =
|
5
|
+
aws_vpc_id = input("aws_vpc_id")
|
6
6
|
|
7
7
|
# You add controls here
|
8
|
-
control "aws-single-vpc-exists-check" do
|
9
|
-
only_if { aws_vpc_id != "" }
|
8
|
+
control "aws-single-vpc-exists-check" do # A unique ID for this control.
|
9
|
+
only_if { aws_vpc_id != "" } # Only run this control if the `aws_vpc_id` input is provided.
|
10
10
|
impact 1.0 # The criticality, if this control fails.
|
11
11
|
title "Check to see if custom VPC exists." # A human-readable title.
|
12
12
|
describe aws_vpc(aws_vpc_id) do # The test itself.
|
File without changes
|
@@ -7,14 +7,13 @@ license: Apache-2.0
|
|
7
7
|
summary: An InSpec Compliance Profile For AWS
|
8
8
|
version: 0.1.0
|
9
9
|
inspec_version: '~> 4'
|
10
|
-
|
10
|
+
inputs:
|
11
11
|
- name: aws_vpc_id
|
12
12
|
required: false
|
13
13
|
# Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
|
14
14
|
# Please see the README for more details.
|
15
|
-
|
15
|
+
value: ''
|
16
16
|
description: 'Optional Custom AWS VPC Id'
|
17
|
-
type: string
|
18
17
|
depends:
|
19
18
|
- name: inspec-aws
|
20
19
|
url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for GCP that depends on the [InSpec GCP Resource Pack](https://github.com/inspec/inspec-gcp). See the [README](https://github.com/inspec/inspec-gcp) for instructions on setting up appropriate GCP credentials.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform gcp my-profile
|
@@ -12,12 +12,12 @@ Create new profile at /Users/spaterson/my-profile
|
|
12
12
|
* Create directory controls
|
13
13
|
* Create file controls/example.rb
|
14
14
|
* Create file inspec.yml
|
15
|
-
* Create file
|
16
|
-
* Create file libraries/.gitkeep
|
17
|
-
|
15
|
+
* Create file inputs.yml
|
16
|
+
* Create file libraries/.gitkeep
|
17
|
+
|
18
18
|
```
|
19
19
|
|
20
|
-
## Update `
|
20
|
+
## Update `inputs.yml` to point to your project
|
21
21
|
|
22
22
|
```
|
23
23
|
gcp_project_id: 'my-gcp-project'
|
@@ -27,7 +27,7 @@ gcp_project_id: 'my-gcp-project'
|
|
27
27
|
|
28
28
|
```
|
29
29
|
$ cd gcp-profile/
|
30
|
-
$ inspec exec . -t gcp:// --
|
30
|
+
$ inspec exec . -t gcp:// --input-file=inputs.yml
|
31
31
|
|
32
32
|
Profile: GCP InSpec Profile (my-profile)
|
33
33
|
Version: 0.1.0
|
@@ -63,4 +63,4 @@ Target: gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com
|
|
63
63
|
|
64
64
|
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
|
65
65
|
Test Summary: 18 successful, 0 failures, 0 skipped
|
66
|
-
```
|
66
|
+
```
|
File without changes
|
@@ -6,14 +6,13 @@ copyright_email: you@example.com
|
|
6
6
|
license: Apache-2.0
|
7
7
|
summary: An InSpec Compliance Profile For GCP
|
8
8
|
version: 0.1.0
|
9
|
-
inspec_version: '>=
|
10
|
-
|
9
|
+
inspec_version: '>= 4'
|
10
|
+
inputs:
|
11
11
|
- name: gcp_project_id
|
12
12
|
required: true
|
13
13
|
description: 'The GCP project identifier.'
|
14
|
-
type: string
|
15
14
|
depends:
|
16
15
|
- name: inspec-gcp
|
17
16
|
url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz
|
18
17
|
supports:
|
19
|
-
- platform: gcp
|
18
|
+
- platform: gcp
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.31.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -711,15 +711,15 @@ files:
|
|
711
711
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb
|
712
712
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb
|
713
713
|
- lib/plugins/inspec-init/templates/profiles/aws/README.md
|
714
|
-
- lib/plugins/inspec-init/templates/profiles/aws/attributes.yml
|
715
714
|
- lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb
|
715
|
+
- lib/plugins/inspec-init/templates/profiles/aws/inputs.yml
|
716
716
|
- lib/plugins/inspec-init/templates/profiles/aws/inspec.yml
|
717
717
|
- lib/plugins/inspec-init/templates/profiles/azure/README.md
|
718
718
|
- lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb
|
719
719
|
- lib/plugins/inspec-init/templates/profiles/azure/inspec.yml
|
720
720
|
- lib/plugins/inspec-init/templates/profiles/gcp/README.md
|
721
|
-
- lib/plugins/inspec-init/templates/profiles/gcp/attributes.yml
|
722
721
|
- lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb
|
722
|
+
- lib/plugins/inspec-init/templates/profiles/gcp/inputs.yml
|
723
723
|
- lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml
|
724
724
|
- lib/plugins/inspec-init/templates/profiles/os/README.md
|
725
725
|
- lib/plugins/inspec-init/templates/profiles/os/controls/example.rb
|