inspec-core 4.28.0 → 4.33.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/inspec/base_cli.rb +7 -0
- data/lib/inspec/cli.rb +7 -0
- data/lib/inspec/control_eval_context.rb +29 -3
- data/lib/inspec/fetcher/git.rb +16 -2
- data/lib/inspec/input_registry.rb +1 -0
- data/lib/inspec/profile.rb +11 -15
- data/lib/inspec/reporters/cli.rb +64 -1
- data/lib/inspec/reporters/json.rb +6 -1
- data/lib/inspec/reporters/json_automate.rb +1 -1
- data/lib/inspec/resources/apt.rb +1 -1
- data/lib/inspec/resources/command.rb +14 -1
- data/lib/inspec/utils/filter.rb +8 -2
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +10 -10
- data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb +3 -3
- data/lib/plugins/inspec-init/templates/profiles/aws/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +2 -3
- data/lib/plugins/inspec-init/templates/profiles/gcp/README.md +7 -7
- data/lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb +1 -1
- data/lib/plugins/inspec-init/templates/profiles/gcp/{attributes.yml → inputs.yml} +0 -0
- data/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml +3 -4
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ec42612f75dc95f62517b85b024c039ad15965f7c98dfaecb9494161b9f85611
|
4
|
+
data.tar.gz: 6373b89393e737cacdcb859ca510758afb9ce7e16d89e90d86877205a3d8d335
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f1591b7c166d00fe78037f703eb55292384b2c2b13195db150da008b198424177809078db9509054af664f91aca8bae06f93f41939d808263cc78baf0414f29c
|
7
|
+
data.tar.gz: 5124bfc3a8b676bd097efc319233fec94d3fd3739b727e1b92678c7929d280c093c46136b80607f166d164e0bd85586b9ce560e2ebed0eadbd7f35d09bd517b9
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -120,6 +120,8 @@ module Inspec
|
|
120
120
|
desc: "Provide a ID which will be included on reports"
|
121
121
|
option :winrm_shell_type, type: :string, default: "powershell",
|
122
122
|
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
|
123
|
+
option :docker_url, type: :string,
|
124
|
+
desc: "Provides path to Docker API endpoint (Docker)"
|
123
125
|
end
|
124
126
|
|
125
127
|
def self.profile_options
|
@@ -166,6 +168,11 @@ module Inspec
|
|
166
168
|
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
|
167
169
|
option :filter_empty_profiles, type: :boolean, default: false,
|
168
170
|
desc: "Filter empty profiles (profiles without controls) from the report."
|
171
|
+
option :command_timeout, type: :numeric,
|
172
|
+
desc: "Maximum seconds to allow commands to run during execution.",
|
173
|
+
long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
|
174
|
+
option :reporter_include_source, type: :boolean, default: false,
|
175
|
+
desc: "Include full source code of controls in the CLI report"
|
169
176
|
end
|
170
177
|
|
171
178
|
def self.help(*args)
|
data/lib/inspec/cli.rb
CHANGED
@@ -321,7 +321,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
321
321
|
desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
|
322
322
|
option :distinct_exit, type: :boolean, default: true,
|
323
323
|
desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures."
|
324
|
+
option :command_timeout, type: :numeric,
|
325
|
+
desc: "Maximum seconds to allow a command to run.",
|
326
|
+
long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error."
|
324
327
|
option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
|
328
|
+
option :input_file, type: :array,
|
329
|
+
desc: "Load one or more input files, a YAML file with values for the shell to use"
|
330
|
+
option :input, type: :array, banner: "name1=value1 name2=value2",
|
331
|
+
desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
|
325
332
|
def shell_func
|
326
333
|
o = config
|
327
334
|
diagnose(o)
|
@@ -53,8 +53,9 @@ module Inspec
|
|
53
53
|
|
54
54
|
def control(id, opts = {}, &block)
|
55
55
|
opts[:skip_only_if_eval] = @skip_only_if_eval
|
56
|
-
|
57
|
-
|
56
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
57
|
+
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
|
58
|
+
end
|
58
59
|
end
|
59
60
|
alias rule control
|
60
61
|
|
@@ -68,10 +69,14 @@ module Inspec
|
|
68
69
|
id = "(generated from #{loc} #{SecureRandom.hex})"
|
69
70
|
|
70
71
|
res = nil
|
72
|
+
|
71
73
|
rule = Inspec::Rule.new(id, profile_id, resources_dsl, {}) do
|
72
74
|
res = describe(*args, &block)
|
73
75
|
end
|
74
|
-
|
76
|
+
|
77
|
+
if control_exist_in_controls_list?(id) || controls_list_empty?
|
78
|
+
register_control(rule, &block)
|
79
|
+
end
|
75
80
|
|
76
81
|
res
|
77
82
|
end
|
@@ -176,5 +181,26 @@ module Inspec
|
|
176
181
|
"#{File.basename(path)}:#{line}"
|
177
182
|
end
|
178
183
|
end
|
184
|
+
|
185
|
+
# Returns true if configuration hash is not empty and it contains the list of controls is not empty
|
186
|
+
def profile_config_exist?
|
187
|
+
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
|
188
|
+
end
|
189
|
+
|
190
|
+
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
|
191
|
+
def controls_list_empty?
|
192
|
+
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
|
193
|
+
end
|
194
|
+
|
195
|
+
# Check if the given control exist in the --controls option
|
196
|
+
def control_exist_in_controls_list?(id)
|
197
|
+
if profile_config_exist?
|
198
|
+
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
|
199
|
+
# Try to see if the inclusion is a regex, and if it matches
|
200
|
+
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
201
|
+
end
|
202
|
+
end
|
203
|
+
id_exist_in_list
|
204
|
+
end
|
179
205
|
end
|
180
206
|
end
|
data/lib/inspec/fetcher/git.rb
CHANGED
@@ -62,7 +62,6 @@ module Inspec::Fetcher
|
|
62
62
|
def fetch(destination_path)
|
63
63
|
@repo_directory = destination_path # Might be the cache, or vendoring, or something else
|
64
64
|
FileUtils.mkdir_p(destination_path) unless Dir.exist?(destination_path)
|
65
|
-
|
66
65
|
if cloned?
|
67
66
|
checkout
|
68
67
|
else
|
@@ -126,10 +125,25 @@ module Inspec::Fetcher
|
|
126
125
|
elsif @tag
|
127
126
|
resolve_ref(@tag)
|
128
127
|
else
|
129
|
-
resolve_ref(
|
128
|
+
resolve_ref(default_ref)
|
130
129
|
end
|
131
130
|
end
|
132
131
|
|
132
|
+
def default_ref
|
133
|
+
command_string = "git remote show #{@remote_url}"
|
134
|
+
cmd = shellout(command_string)
|
135
|
+
unless cmd.exitstatus == 0
|
136
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': #{cmd.stderr}")
|
137
|
+
else
|
138
|
+
ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
|
139
|
+
unless ref
|
140
|
+
raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{@remote_url} - error running '#{command_string}': NULL reference")
|
141
|
+
end
|
142
|
+
|
143
|
+
ref
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
133
147
|
def resolve_ref(ref_name)
|
134
148
|
command_string = "git ls-remote \"#{@remote_url}\" \"#{ref_name}*\""
|
135
149
|
cmd = shellout(command_string)
|
@@ -82,6 +82,7 @@ module Inspec
|
|
82
82
|
def find_or_register_input(input_name, profile_name, options = {})
|
83
83
|
input_name = input_name.to_s
|
84
84
|
profile_name = profile_name.to_s
|
85
|
+
options[:event].value = Thor::CoreExt::HashWithIndifferentAccess.new(options[:event].value) if options[:event]&.value.is_a?(Hash)
|
85
86
|
|
86
87
|
if profile_alias?(profile_name) && !profile_aliases[profile_name].nil?
|
87
88
|
alias_name = profile_name
|
data/lib/inspec/profile.rb
CHANGED
@@ -225,14 +225,17 @@ module Inspec
|
|
225
225
|
end
|
226
226
|
@tests_collected = true
|
227
227
|
end
|
228
|
-
|
228
|
+
@runner_context.all_rules
|
229
229
|
end
|
230
230
|
|
231
|
-
|
232
|
-
|
231
|
+
# This creates the list of controls provided in the --controls options which need to be include
|
232
|
+
# for evaluation.
|
233
|
+
def include_controls_list
|
234
|
+
return [] if @controls.nil? || @controls.empty?
|
233
235
|
|
236
|
+
included_controls = @controls
|
234
237
|
# Check for anything that might be a regex in the list, and make it official
|
235
|
-
|
238
|
+
included_controls.each_with_index do |inclusion, index|
|
236
239
|
next if inclusion.is_a?(Regexp)
|
237
240
|
# Insist the user wrap the regex in slashes to demarcate it as a regex
|
238
241
|
next unless inclusion.start_with?("/") && inclusion.end_with?("/")
|
@@ -240,21 +243,14 @@ module Inspec
|
|
240
243
|
inclusion = inclusion[1..-2] # Trim slashes
|
241
244
|
begin
|
242
245
|
re = Regexp.new(inclusion)
|
243
|
-
|
246
|
+
included_controls[index] = re
|
244
247
|
rescue RegexpError => e
|
245
248
|
warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
|
246
|
-
|
247
|
-
end
|
248
|
-
end
|
249
|
-
include_list.compact!
|
250
|
-
|
251
|
-
controls_array.select do |c|
|
252
|
-
id = ::Inspec::Rule.rule_id(c)
|
253
|
-
include_list.any? do |inclusion|
|
254
|
-
# Try to see if the inclusion is a regex, and if it matches
|
255
|
-
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
249
|
+
included_controls[index] = nil
|
256
250
|
end
|
257
251
|
end
|
252
|
+
included_controls.compact!
|
253
|
+
included_controls
|
258
254
|
end
|
259
255
|
|
260
256
|
def load_libraries
|
data/lib/inspec/reporters/cli.rb
CHANGED
@@ -41,12 +41,14 @@ module Inspec::Reporters
|
|
41
41
|
MULTI_TEST_CONTROL_SUMMARY_MAX_LEN = 60
|
42
42
|
|
43
43
|
def render
|
44
|
+
@src_extent_map = {}
|
44
45
|
run_data[:profiles].each do |profile|
|
45
46
|
if profile[:status] == "skipped"
|
46
47
|
platform = run_data[:platform]
|
47
48
|
output("Skipping profile: '#{profile[:name]}' on unsupported platform: '#{platform[:name]}/#{platform[:release]}'.")
|
48
49
|
next
|
49
50
|
end
|
51
|
+
read_control_source(profile)
|
50
52
|
@control_count = 0
|
51
53
|
output("")
|
52
54
|
print_profile_header(profile)
|
@@ -89,6 +91,7 @@ module Inspec::Reporters
|
|
89
91
|
next if control.results.nil?
|
90
92
|
|
91
93
|
output(format_control_header(control))
|
94
|
+
output(format_control_source(control)) if Inspec::Config.cached[:reporter_include_source]
|
92
95
|
control.results.each do |result|
|
93
96
|
output(format_result(control, result, :standard))
|
94
97
|
@control_count += 1
|
@@ -127,6 +130,62 @@ module Inspec::Reporters
|
|
127
130
|
)
|
128
131
|
end
|
129
132
|
|
133
|
+
def format_control_source(control)
|
134
|
+
src = @control_source[control.id]
|
135
|
+
message = "Control Source from #{src[:path]}:#{src[:start]}..#{src[:end]}\n"
|
136
|
+
message += src[:content]
|
137
|
+
format_message(
|
138
|
+
color: "skipped",
|
139
|
+
indentation: 5,
|
140
|
+
message: message
|
141
|
+
)
|
142
|
+
end
|
143
|
+
|
144
|
+
def read_control_source(profile)
|
145
|
+
return unless Inspec::Config.cached[:reporter_include_source]
|
146
|
+
|
147
|
+
@control_source = {}
|
148
|
+
src_extent_map = {}
|
149
|
+
|
150
|
+
# First pass: build map of paths => ids => [start]
|
151
|
+
all_unique_controls.each do |control|
|
152
|
+
id = control[:id]
|
153
|
+
path = control[:source_location][:ref]
|
154
|
+
start = control[:source_location][:line]
|
155
|
+
next if path.nil? || start.nil?
|
156
|
+
|
157
|
+
src_extent_map[path] ||= []
|
158
|
+
src_extent_map[path] << { start: start, id: id }
|
159
|
+
end
|
160
|
+
|
161
|
+
# Now sort the controls by their starting line in their control file
|
162
|
+
src_extent_map.values.each do |extent_list|
|
163
|
+
extent_list.sort! { |a, b| a[:start] <=> b[:start] }
|
164
|
+
end
|
165
|
+
|
166
|
+
# Third pass: Read in files and split into lines
|
167
|
+
src_extent_map.keys.each do |path|
|
168
|
+
control_file_lines = File.read(path).lines # TODO error handling
|
169
|
+
last_line_in_file = control_file_lines.count
|
170
|
+
extent_list = src_extent_map[path]
|
171
|
+
extent_list.each_with_index do |extent, idx|
|
172
|
+
if idx == extent_list.count - 1 # Last entry
|
173
|
+
extent[:end] = last_line_in_file
|
174
|
+
else
|
175
|
+
extent[:end] = extent_list[idx + 1][:start] - 1
|
176
|
+
end
|
177
|
+
|
178
|
+
@control_source[extent[:id]] =
|
179
|
+
{
|
180
|
+
path: path,
|
181
|
+
start: extent[:start],
|
182
|
+
end: extent[:end],
|
183
|
+
content: control_file_lines.slice(extent[:start] - 1, extent[:end] - extent[:start] + 1).join(""),
|
184
|
+
}
|
185
|
+
end
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
130
189
|
def format_result(control, result, type)
|
131
190
|
impact = control.impact_string_for_result(result)
|
132
191
|
|
@@ -170,7 +229,7 @@ module Inspec::Reporters
|
|
170
229
|
end
|
171
230
|
|
172
231
|
def all_unique_controls
|
173
|
-
@unique_controls ||= begin
|
232
|
+
@unique_controls ||= begin # rubocop:disable Style/RedundantBegin
|
174
233
|
run_data[:profiles].flat_map do |profile|
|
175
234
|
profile[:controls]
|
176
235
|
end.uniq
|
@@ -312,6 +371,10 @@ module Inspec::Reporters
|
|
312
371
|
data[:impact]
|
313
372
|
end
|
314
373
|
|
374
|
+
def source_location
|
375
|
+
data[:source_location]
|
376
|
+
end
|
377
|
+
|
315
378
|
def anonymous?
|
316
379
|
id.start_with?("(generated from ")
|
317
380
|
end
|
@@ -8,7 +8,7 @@ module Inspec::Reporters
|
|
8
8
|
end
|
9
9
|
|
10
10
|
def report
|
11
|
-
{
|
11
|
+
output = {
|
12
12
|
platform: platform,
|
13
13
|
profiles: profiles,
|
14
14
|
statistics: {
|
@@ -16,6 +16,11 @@ module Inspec::Reporters
|
|
16
16
|
},
|
17
17
|
version: run_data[:version],
|
18
18
|
}
|
19
|
+
|
20
|
+
%w{passthrough}.each do |option|
|
21
|
+
output[option.to_sym] = @config[option] unless @config[option].nil?
|
22
|
+
end
|
23
|
+
output
|
19
24
|
end
|
20
25
|
|
21
26
|
private
|
@@ -24,7 +24,7 @@ module Inspec::Reporters
|
|
24
24
|
version: run_data[:version],
|
25
25
|
}
|
26
26
|
|
27
|
-
# optional
|
27
|
+
# optional jsonconfig passthrough options
|
28
28
|
%w{node_name environment roles job_uuid passthrough}.each do |option|
|
29
29
|
output[option.to_sym] = @config[option] unless @config[option].nil?
|
30
30
|
end
|
data/lib/inspec/resources/apt.rb
CHANGED
@@ -78,7 +78,7 @@ module Inspec::Resources
|
|
78
78
|
return @repo_cache if defined?(@repo_cache)
|
79
79
|
|
80
80
|
# load all lists
|
81
|
-
cmd = inspec.command("find /etc/apt/ -name
|
81
|
+
cmd = inspec.command("find /etc/apt/ -name \"*.list\" -exec sh -c 'cat {} || echo -n' \\;")
|
82
82
|
|
83
83
|
# @see https://help.ubuntu.com/community/Repositories/CommandLine#Explanation_of_the_Repository_Format
|
84
84
|
@repo_cache = cmd.stdout.lines.map do |raw_line|
|
@@ -31,6 +31,11 @@ module Inspec::Resources
|
|
31
31
|
end
|
32
32
|
|
33
33
|
@command = cmd
|
34
|
+
cli_timeout = Inspec::Config.cached["command_timeout"]&.to_i
|
35
|
+
# Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default,
|
36
|
+
# but that may not be loaded for kitchen-inspec and other pure gem consumers
|
37
|
+
cli_timeout = nil if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value
|
38
|
+
@timeout = cli_timeout || options[:timeout]&.to_i
|
34
39
|
|
35
40
|
if options[:redact_regex]
|
36
41
|
unless options[:redact_regex].is_a?(Regexp)
|
@@ -44,7 +49,15 @@ module Inspec::Resources
|
|
44
49
|
end
|
45
50
|
|
46
51
|
def result
|
47
|
-
@result ||=
|
52
|
+
@result ||= begin
|
53
|
+
inspec.backend.run_command(@command, timeout: @timeout)
|
54
|
+
rescue Train::CommandTimeoutReached
|
55
|
+
# Without a small sleep, the train connection gets broken
|
56
|
+
# We've already timed out, so a small sleep is not likely to be painful here.
|
57
|
+
sleep 0.1
|
58
|
+
raise Inspec::Exceptions::ResourceFailed,
|
59
|
+
"Command `#{@command}` timed out after #{@timeout} seconds"
|
60
|
+
end
|
48
61
|
end
|
49
62
|
|
50
63
|
def stdout
|
data/lib/inspec/utils/filter.rb
CHANGED
@@ -36,14 +36,20 @@ module FilterTable
|
|
36
36
|
# RSpec will check the object returned to see if it responds to a method
|
37
37
|
# before calling it. We need to fake it out and tell it that it does. This
|
38
38
|
# allows it to skip past that check and fall through to #method_missing
|
39
|
-
def respond_to?(_method)
|
39
|
+
def respond_to?(_method, include_all = false)
|
40
40
|
true
|
41
41
|
end
|
42
42
|
|
43
43
|
def to_s
|
44
|
-
@original_resource.
|
44
|
+
"#{@original_resource} (#{@original_exception.message})"
|
45
45
|
end
|
46
46
|
alias inspect to_s
|
47
|
+
|
48
|
+
# Rspec is not able to convert FilterTable::ExceptionCatcher issue https://github.com/inspec/inspec/issues/5369
|
49
|
+
# which result into not showing actual exception message this allows to convert it properly.
|
50
|
+
def to_ary
|
51
|
+
[ to_s ]
|
52
|
+
end
|
47
53
|
end
|
48
54
|
|
49
55
|
class Trace
|
data/lib/inspec/version.rb
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for AWS.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform aws my-profile
|
@@ -15,12 +15,12 @@ Creating new profile at /Users/spaterson/my-profile
|
|
15
15
|
• Creating directory controls
|
16
16
|
• Creating file controls/example.rb
|
17
17
|
• Creating file inspec.yml
|
18
|
-
• Creating file
|
18
|
+
• Creating file inputs.yml
|
19
19
|
• Creating file libraries/.gitkeep
|
20
|
-
|
20
|
+
|
21
21
|
```
|
22
22
|
|
23
|
-
## Optionally update `
|
23
|
+
## Optionally update `inputs.yml` to point to your custom VPC
|
24
24
|
|
25
25
|
```
|
26
26
|
aws_vpc_id: 'custom-vpc-id'
|
@@ -32,11 +32,11 @@ The related control will simply be skipped if this is not provided. See the [In
|
|
32
32
|
|
33
33
|
### With a VPC Identifier
|
34
34
|
|
35
|
-
With a supplied VPC identifier in `
|
35
|
+
With a supplied VPC identifier in `inputs.yml` both of the example controls will run. The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
|
36
36
|
|
37
37
|
```
|
38
38
|
$ cd my-profile/
|
39
|
-
$ inspec exec . -t aws:// --
|
39
|
+
$ inspec exec . -t aws:// --input-file=inputs.yml
|
40
40
|
|
41
41
|
Profile: AWS InSpec Profile (my-profile)
|
42
42
|
Version: 0.1.0
|
@@ -111,13 +111,13 @@ Test Summary: 53 successful, 0 failures, 0 skipped
|
|
111
111
|
```
|
112
112
|
|
113
113
|
|
114
|
-
### Without Supplying a VPC Identifier
|
114
|
+
### Without Supplying a VPC Identifier
|
115
115
|
|
116
|
-
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `
|
116
|
+
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `inputs.yml` file does not have to be specified to InSpec in this case.
|
117
117
|
|
118
118
|
```
|
119
119
|
$ cd my-profile/
|
120
|
-
$ inspec exec . -t aws://
|
120
|
+
$ inspec exec . -t aws://
|
121
121
|
|
122
122
|
Profile: AWS InSpec Profile (my-profile)
|
123
123
|
Version: 0.1.0
|
@@ -189,4 +189,4 @@ Target: aws://eu-west-2
|
|
189
189
|
|
190
190
|
Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
|
191
191
|
Test Summary: 52 successful, 0 failures, 1 skipped
|
192
|
-
```
|
192
|
+
```
|
@@ -2,11 +2,11 @@
|
|
2
2
|
|
3
3
|
title "Sample Section"
|
4
4
|
|
5
|
-
aws_vpc_id =
|
5
|
+
aws_vpc_id = input("aws_vpc_id")
|
6
6
|
|
7
7
|
# You add controls here
|
8
|
-
control "aws-single-vpc-exists-check" do
|
9
|
-
only_if { aws_vpc_id != "" }
|
8
|
+
control "aws-single-vpc-exists-check" do # A unique ID for this control.
|
9
|
+
only_if { aws_vpc_id != "" } # Only run this control if the `aws_vpc_id` input is provided.
|
10
10
|
impact 1.0 # The criticality, if this control fails.
|
11
11
|
title "Check to see if custom VPC exists." # A human-readable title.
|
12
12
|
describe aws_vpc(aws_vpc_id) do # The test itself.
|
File without changes
|
@@ -7,14 +7,13 @@ license: Apache-2.0
|
|
7
7
|
summary: An InSpec Compliance Profile For AWS
|
8
8
|
version: 0.1.0
|
9
9
|
inspec_version: '~> 4'
|
10
|
-
|
10
|
+
inputs:
|
11
11
|
- name: aws_vpc_id
|
12
12
|
required: false
|
13
13
|
# Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
|
14
14
|
# Please see the README for more details.
|
15
|
-
|
15
|
+
value: ''
|
16
16
|
description: 'Optional Custom AWS VPC Id'
|
17
|
-
type: string
|
18
17
|
depends:
|
19
18
|
- name: inspec-aws
|
20
19
|
url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This example shows the implementation of an InSpec profile for GCP that depends on the [InSpec GCP Resource Pack](https://github.com/inspec/inspec-gcp). See the [README](https://github.com/inspec/inspec-gcp) for instructions on setting up appropriate GCP credentials.
|
4
4
|
|
5
|
-
## Create a profile
|
5
|
+
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
8
|
$ inspec init profile --platform gcp my-profile
|
@@ -12,12 +12,12 @@ Create new profile at /Users/spaterson/my-profile
|
|
12
12
|
* Create directory controls
|
13
13
|
* Create file controls/example.rb
|
14
14
|
* Create file inspec.yml
|
15
|
-
* Create file
|
16
|
-
* Create file libraries/.gitkeep
|
17
|
-
|
15
|
+
* Create file inputs.yml
|
16
|
+
* Create file libraries/.gitkeep
|
17
|
+
|
18
18
|
```
|
19
19
|
|
20
|
-
## Update `
|
20
|
+
## Update `inputs.yml` to point to your project
|
21
21
|
|
22
22
|
```
|
23
23
|
gcp_project_id: 'my-gcp-project'
|
@@ -27,7 +27,7 @@ gcp_project_id: 'my-gcp-project'
|
|
27
27
|
|
28
28
|
```
|
29
29
|
$ cd gcp-profile/
|
30
|
-
$ inspec exec . -t gcp:// --
|
30
|
+
$ inspec exec . -t gcp:// --input-file=inputs.yml
|
31
31
|
|
32
32
|
Profile: GCP InSpec Profile (my-profile)
|
33
33
|
Version: 0.1.0
|
@@ -63,4 +63,4 @@ Target: gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com
|
|
63
63
|
|
64
64
|
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
|
65
65
|
Test Summary: 18 successful, 0 failures, 0 skipped
|
66
|
-
```
|
66
|
+
```
|
File without changes
|
@@ -6,14 +6,13 @@ copyright_email: you@example.com
|
|
6
6
|
license: Apache-2.0
|
7
7
|
summary: An InSpec Compliance Profile For GCP
|
8
8
|
version: 0.1.0
|
9
|
-
inspec_version: '>=
|
10
|
-
|
9
|
+
inspec_version: '>= 4'
|
10
|
+
inputs:
|
11
11
|
- name: gcp_project_id
|
12
12
|
required: true
|
13
13
|
description: 'The GCP project identifier.'
|
14
|
-
type: string
|
15
14
|
depends:
|
16
15
|
- name: inspec-gcp
|
17
16
|
url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz
|
18
17
|
supports:
|
19
|
-
- platform: gcp
|
18
|
+
- platform: gcp
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.33.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -711,15 +711,15 @@ files:
|
|
711
711
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb
|
712
712
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb
|
713
713
|
- lib/plugins/inspec-init/templates/profiles/aws/README.md
|
714
|
-
- lib/plugins/inspec-init/templates/profiles/aws/attributes.yml
|
715
714
|
- lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb
|
715
|
+
- lib/plugins/inspec-init/templates/profiles/aws/inputs.yml
|
716
716
|
- lib/plugins/inspec-init/templates/profiles/aws/inspec.yml
|
717
717
|
- lib/plugins/inspec-init/templates/profiles/azure/README.md
|
718
718
|
- lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb
|
719
719
|
- lib/plugins/inspec-init/templates/profiles/azure/inspec.yml
|
720
720
|
- lib/plugins/inspec-init/templates/profiles/gcp/README.md
|
721
|
-
- lib/plugins/inspec-init/templates/profiles/gcp/attributes.yml
|
722
721
|
- lib/plugins/inspec-init/templates/profiles/gcp/controls/example.rb
|
722
|
+
- lib/plugins/inspec-init/templates/profiles/gcp/inputs.yml
|
723
723
|
- lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml
|
724
724
|
- lib/plugins/inspec-init/templates/profiles/os/README.md
|
725
725
|
- lib/plugins/inspec-init/templates/profiles/os/controls/example.rb
|