inspec-core 5.17.4 → 5.21.29

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -0,0 +1,34 @@
+require "csv" unless defined?(CSV)
+
+module Waivers
+  class CSVFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      CSV.foreach(path, headers: true) do |row|
+        row_hash = row.to_hash
+        @headers = row_hash.keys if @headers.empty?
+        control_id = row_hash["control_id"]
+        # delete keys and values not required in final hash
+        row_hash.delete("control_id")
+        row_hash.delete_if { |k, v| k.nil? || v.nil? }
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+
+      waiver_data_hash
+    rescue CSV::MalformedCSVError => e
+      raise "Error reading InSpec waivers in CSV: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -0,0 +1,39 @@
+require "roo"
+require "roo-xls"
+
+module Waivers
+  class ExcelFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      @headers ||= []
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      waiver_data_hash = {}
+      file_extension = File.extname(path) == ".xlsx" ? :xlsx : :xls
+      excel_file = Roo::Spreadsheet.open(path, extension: file_extension)
+      excel_file.sheet(0).parse(headers: true).each_with_index do |row, index|
+        if index == 0
+          @headers = row.keys
+        else
+          row_hash = row
+          control_id = row_hash["control_id"]
+          # delete keys and values not required in final hash
+          row_hash.delete("control_id")
+          row_hash.delete_if { |k, v| k.nil? || v.nil? }
+        end
+
+        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+      end
+      waiver_data_hash
+    rescue Exception => e
+      raise "Error reading InSpec waivers in Excel: #{e}"
+    end
+
+    def self.headers
+      @headers
+    end
+  end
+end

data/lib/inspec/utils/waivers/json_file_reader.rb

@@ -0,0 +1,15 @@
+module Waivers
+  class JSONFileReader
+    def self.resolve(path)
+      return nil unless File.file?(path)
+
+      fetch_data(path)
+    end
+
+    def self.fetch_data(path)
+      JSON.parse(File.read(path))
+    rescue JSON::ParserError => e
+      raise "Error reading InSpec waivers in JSON: #{e}"
+    end
+  end
+end

data/lib/inspec/utils/yaml_profile_summary.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Inspec
+  module Utils
+    #
+    # Inspec::Utils::YamlProfileSummary takes in certain information to identify a
+    # profile and then produces a YAML-formatted summary of that profile. It can
+    # return the results to STDOUT or a file.
+    #
+    #
+    module YamlProfileSummary
+      def self.produce_yaml(info:, write_path: "", suppress_output: false)
+        # add in inspec version
+        info[:generator] = {
+          name: "inspec",
+          version: Inspec::VERSION,
+        }
+        if write_path.empty?
+          puts info.to_yaml
+        else
+          unless suppress_output
+            if File.exist? write_path
+              Inspec::Log.info "----> updating #{write_path}"
+            else
+              Inspec::Log.info "----> creating #{write_path}"
+            end
+          end
+          full_write_path = File.expand_path(write_path)
+          File.write(full_write_path, info.to_yaml)
+        end
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.17.4".freeze
+  VERSION = "5.21.29".freeze
 end

data/lib/inspec/waiver_file_reader.rb

@@ -0,0 +1,61 @@
+require "inspec/secrets/yaml"
+require "inspec/utils/waivers/csv_file_reader"
+require "inspec/utils/waivers/json_file_reader"
+
+module Inspec
+  class WaiverFileReader
+
+    def self.fetch_waivers_by_profile(profile_id, files)
+      read_waivers_from_file(profile_id, files) if @waivers_data.nil? || @waivers_data[profile_id].nil?
+      @waivers_data[profile_id]
+    end
+
+    def self.read_waivers_from_file(profile_id, files)
+      @waivers_data ||= {}
+      output = {}
+
+      files.each do |file_path|
+        file_extension = File.extname(file_path)
+        data = nil
+        if [".yaml", ".yml"].include? file_extension
+          data = Secrets::YAML.resolve(file_path)
+          data = data.inputs unless data.nil?
+          validate_json_yaml(data)
+        elsif file_extension == ".csv"
+          data = Waivers::CSVFileReader.resolve(file_path)
+          headers = Waivers::CSVFileReader.headers
+          validate_headers(headers)
+        elsif file_extension == ".json"
+          data = Waivers::JSONFileReader.resolve(file_path)
+          validate_json_yaml(data)
+        end
+        output.merge!(data) if !data.nil? && data.is_a?(Hash)
+
+        if data.nil?
+          raise Inspec::Exceptions::WaiversFileNotReadable,
+              "Cannot find parser for waivers file '#{file_path}'. " \
+              "Check to make sure file has the appropriate extension."
+        end
+      end
+
+      @waivers_data[profile_id] = output
+    end
+
+    def self.validate_headers(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      all_fields = %w{control_id justification expiration_date run}
+
+      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
+      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
+      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+    end
+
+    def self.validate_json_yaml(data)
+      headers = []
+      data.each_value do |value|
+        headers.push value.keys
+      end
+      validate_headers(headers.flatten.uniq, true)
+    end
+  end
+end

data/lib/matchers/matchers.rb

@@ -225,7 +225,11 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def boolean?(value)
-    %w{true false}.include?(value.downcase)
+    if value.respond_to?("downcase")
+      %w{true false}.include?(value.downcase)
+    else
+      value.is_a?(TrueClass) || value.is_a?(FalseClass)
+    end
   end
 
   def version?(value)
@@ -252,6 +256,8 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
       return actual.send(op, expected.to_i)
     elsif expected.is_a?(String) && boolean?(expected) && [true, false].include?(actual)
       return actual.send(op, to_boolean(expected))
+    elsif boolean?(expected) && %w{true false}.include?(actual)
+      return actual.send(op, expected.to_s)
     elsif expected.is_a?(Integer) && actual.is_a?(String) && integer?(actual)
       return actual.to_i.send(op, expected)
     elsif expected.is_a?(Float) && float?(actual)

data/lib/plugins/inspec-init/templates/profiles/alicloud/README.md

@@ -0,0 +1,27 @@
+# Example InSpec Profile For AliCloud
+
+This example shows the implementation of an InSpec profile for AliCloud.
+
+The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://docs.chef.io/inspec/dsl_inspec/) for more details on conditional execution using `only_if`.
+
+## Run the test
+
+```bash
+$ cd my-alicloud-sample-profile/
+$ inspec exec . -t alicloud://
+```
+
+```
+Profile:   Ali Cloud InSpec Profile (my-alicloud-profile)
+Version:   0.1.0
+Target:    alicloud://ap-south-1
+    ✔  ali-cloud-instances-1.0: Ensure AliCloud ECS Instances has correct attributes.
+         ✔  AliCloud ECS Instances (All) is expected to exist
+         ✔  AliCloud ECS Instances (All) entries.count is expected to be >= 1
+Profile:   AliCloud Resource Pack (inspec-alicloud)
+Version:   0.10.8
+Target:    alicloud://ap-south-1
+     No tests executed.
+Profile Summary: 1 successful controls, 0 control failures, 0 controls skipped
+Test Summary: 1 successful, 0 failures, 0 skipped
+```

data/lib/plugins/inspec-init/templates/profiles/alicloud/controls/example.rb

@@ -0,0 +1,10 @@
+title "Test AliCloud Instances count"
+
+control "ali-cloud-instances-1.0" do
+  impact 1.0
+  title "Ensure AliCloud ECS Instances Class has correct attributes."
+  describe alicloud_ecs_instances do
+    it { should exist }
+    its("entries.count") { should be >= 1 }
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/alicloud/inputs.yml

@@ -0,0 +1 @@
+

data/lib/plugins/inspec-init/templates/profiles/alicloud/inspec.yml

@@ -0,0 +1,14 @@
+name: my-alicloud-sample-profile
+title: Ali Cloud InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For Ali CLoud
+version: 0.1.0
+inspec_version: '~> 5'
+depends:
+  - name: inspec-alicloud
+    url: https://github.com/inspec/inspec-alicloud/archive/main.tar.gz
+supports:
+  - platform: alicloud

data/lib/plugins/inspec-reporter-html2/README.md

@@ -50,4 +50,4 @@ Specifies the full path to the location of a JavaScript file that will be read a
 
 ## Developing This Plugin
 
-This plugin is part of the Chef InSpec source code. While it has its own tests, the general contribution policy is dictated by the Chef InSpec project at https://github.com/inspec/inspec/blob/master/CONTRIBUTING.md
+This plugin is part of the Chef InSpec source code. While it has its own tests, the general contribution policy is dictated by the Chef InSpec project at https://github.com/inspec/inspec/blob/main/CONTRIBUTING.md

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -7,21 +7,21 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <style type="text/css">
     /* Must inline all CSS files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(css_path), nil, nil, "_css").result(binding)  %>
+    <%= ERB.new(File.read(css_path), eoutvar: "_css").result(binding)  %>
     </style>
     <script type="text/javascript">
     // <![CDATA[
     /* Must inline all JavaScript files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(js_path), nil, nil, "_js").result(binding)  %>
+    <%= ERB.new(File.read(js_path), eoutvar: "_js").result(binding)  %>
     // ]]>
     </script>
   </head>
   <body onload="pageLoaded()">
-    <%= ERB.new(File.read(template_path + "/selector.html.erb"), nil, nil, "_select").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/selector.html.erb"), eoutvar: "_select").result(binding)  %>
     <div class="inspec-report">
     <h1><%= Inspec::Dist::PRODUCT_NAME %> Report</h1>
     <% run_data.profiles.each do |profile| %>
-      <%= ERB.new(File.read(template_path + "/profile.html.erb"), nil, nil, "_prof").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/profile.html.erb"), eoutvar: "_prof").result(binding)  %>
     <% end %>
 
     <div class="inspec-summary">
@@ -36,8 +36,14 @@
       <caption>Control Statistics</caption>
         <tr><th colspan="2"><h4 id="statistics-label">Control Statistics</h4></th></tr>
         <tr class= "passed"><th>Passed:</th><td><%= run_data.statistics.controls.passed.total %></td></tr>
-        <tr class= "skipped"><th>Skipped:</th><td><%= run_data.statistics.controls.skipped.total %></td></tr>
         <tr class= "failed"><th>Failed:</th><td><%= run_data.statistics.controls.failed.total %></td></tr>
+        <% if enhanced_outcomes %>
+          <tr class= "not_reviewed"><th>Not Reviewed:</th><td><%= run_data.statistics.controls.not_reviewed.total %></td></tr>
+          <tr class= "not_applicable"><th>Not Applicable:</th><td><%= run_data.statistics.controls.not_applicable.total %></td></tr>
+          <tr class= "error"><th>Error:</th><td><%= run_data.statistics.controls.error.total %></td></tr>
+        <% else %>
+          <tr class= "skipped"><th>Skipped:</th><td><%= run_data.statistics.controls.skipped.total %></td></tr>
+        <% end %>
         <tr class= "duration"><th>Duration:</th><td><%= run_data.statistics.duration %> seconds</td></tr>
         <tr class= "date"><th>Time Finished:</th><td><%= Time.now %></td></tr>
       </table>

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -1,11 +1,15 @@
 <% slugged_id = control.id.tr(" ", "_") %>
 <%
-    # Determine status of control
-    status = "passed"
-    if control.results.any? { |r| r.status == "failed" }
-      status = "failed"
-    elsif control.results.any? { |r| r.status == "skipped" }
-      status = "skipped"
+    if enhanced_outcomes
+      status = control.status
+    else
+      # Determine status of control
+      status = "passed"
+      if control.results.any? { |r| r.status == "failed" }
+        status = "failed"
+      elsif control.results.any? { |r| r.status == "skipped" }
+        status = "skipped"
+      end
     end
 %>
 
@@ -74,7 +78,7 @@
   </table>
 
   <% control.results.each do |result| %>
-    <%= ERB.new(File.read(template_path + "/result.html.erb"), nil, nil, "_rslt").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/result.html.erb"), eoutvar: "_rslt").result(binding)  %>
   <% end %>
 
 </div>

data/lib/plugins/inspec-reporter-html2/templates/default.css

@@ -60,6 +60,18 @@ pre code {
 .result-metadata .status-skipped div  {
   background-color: grey;
 }
+.control-metadata .status-error div,
+.result-metadata .status-error div  {
+  background-color: rgb(63, 15, 183);
+}
+.control-metadata .status-not_applicable div,
+.result-metadata .status-not_applicable div  {
+  background-color: rgb(135, 206, 250);
+}
+.control-metadata .status-not_reviewed div,
+.result-metadata .status-not_reviewed div  {
+  background-color: rgb(255, 194, 0);
+}
 .result-metadata,
 .control-metadata {
   margin: 0 0 0 5%;

data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb

@@ -18,7 +18,7 @@
 
   <% if profile.status == "loaded" %>
     <% profile.controls.each do |control| %>
-      <%= ERB.new(File.read(template_path + "/control.html.erb"), nil, nil, "_ctl").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/control.html.erb"), eoutvar: "_ctl").result(binding)  %>
     <% end %>
   <% end %>
 </div>

data/lib/plugins/inspec-reporter-html2/templates/selector.html.erb

@@ -1,8 +1,14 @@
 <div class="selector-panel">
   <p id="selector-instructions">Display controls that are:</p>
   <input class="selector-checkbox" id="passed-checkbox" type="checkbox" checked="checked"/><label for="passed-checkbox">Passed</label>
-  <input class="selector-checkbox" id="skipped-checkbox" type="checkbox" checked="checked"/><label for="skipped-checkbox">Skipped</label>
   <input class="selector-checkbox" id="failed-checkbox" type="checkbox" checked="checked"/><label for="failed-checkbox">Failed</label>
+  <% if enhanced_outcomes %>
+    <input class="selector-checkbox" id="not_reviewed-checkbox" type="checkbox" checked="checked"/><label for="not_reviewed-checkbox">Not Reviewed</label>
+    <input class="selector-checkbox" id="not_applicable-checkbox" type="checkbox" checked="checked"/><label for="not_applicable-checkbox">Not Applicable</label>
+    <input class="selector-checkbox" id="error-checkbox" type="checkbox" checked="checked"/><label for="error-checkbox">Error</label>
+  <% else %>
+    <input class="selector-checkbox" id="skipped-checkbox" type="checkbox" checked="checked"/><label for="skipped-checkbox">Skipped</label>
+  <% end %>
   <p id="selector-instructions">Display profiles that are:</p>
   <input class="profile-selector-checkbox" id="child-profile-checkbox" type="checkbox" /><label for="child-profile-checkbox">Dependent Profiles</label>
 </div>

data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec}

@@ -2,8 +2,8 @@
 # These specs are used in plugin list and search command
 
 Gem::Specification.new do |spec|
-  spec.name          = "inspec-artifact"
+  spec.name          = "inspec-sign"
   spec.summary       = ""
   spec.description   = "Plugin to generate asymmetrical keys that you can use to encrypt profiles"
   spec.license       = "Apache-2.0"
-end
+end

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -0,0 +1,164 @@
+require "base64" unless defined?(Base64)
+require "openssl" unless defined?(OpenSSL)
+require "pathname" unless defined?(Pathname)
+require "set" unless defined?(Set)
+require "tempfile" unless defined?(Tempfile)
+require "yaml"
+require "inspec/dist"
+require "inspec/utils/json_profile_summary"
+require "inspec/iaf_file"
+
+module InspecPlugins
+  module Sign
+    class Base
+      include Inspec::Dist
+
+      KEY_BITS = 2048
+      KEY_ALG = OpenSSL::PKey::RSA
+
+      INSPEC_PROFILE_VERSION_1 = "INSPEC-PROFILE-1".freeze
+      INSPEC_REPORT_VERSION_1 = "INSPEC-REPORT-1".freeze
+
+      INSPEC_PROFILE_VERSION_2 = "INSPEC-PROFILE-2".freeze
+      ARTIFACT_DIGEST = OpenSSL::Digest::SHA512
+      ARTIFACT_DIGEST_NAME = "SHA512".freeze
+
+      VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
+      VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
+
+      SIGNED_PROFILE_SUFFIX = "iaf".freeze
+      SIGNED_REPORT_SUFFIX = "iar".freeze
+
+      def self.keygen(options)
+        key = KEY_ALG.new KEY_BITS
+
+        path = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p(path)
+
+        puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
+        open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
+          io.write key.to_pem
+        end
+        puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
+        open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
+          io.write key.public_key.to_pem
+        end
+      end
+
+      def self.profile_sign(profile_path, options)
+        artifact = new
+
+        # Writes the profile content id in the inspec.yml
+        if options[:profile_content_id] && !options[:profile_content_id].strip.empty?
+          artifact.write_profile_content_id(profile_path, options[:profile_content_id])
+        end
+
+        puts "Signing #{profile_path} with key #{options["keyname"]}"
+        keypath = Inspec::IafFile.find_signing_key(options["keyname"])
+
+        # Read name and version from metadata and use them to form the filename
+        profile_md = artifact.read_profile_metadata(profile_path)
+
+        # Behave same as archive filename for iaf filename
+        slug = profile_md["name"].downcase.strip.tr(" ", "-").gsub(/[^\w-]/, "_")
+        filename = "#{slug}-#{profile_md["version"]}"
+        artifact_filename = "#{filename}.#{SIGNED_PROFILE_SUFFIX}"
+
+        # Generating tar.gz file using archive method of Inspec Cli
+        Inspec::InspecCLI.new.archive(profile_path, "error")
+        tarfile = "#{filename}.tar.gz"
+        tar_content = IO.binread(tarfile)
+        FileUtils.rm(tarfile)
+
+        # Generate the signature
+        signing_key = KEY_ALG.new File.read keypath
+        sha = ARTIFACT_DIGEST.new
+        signature = signing_key.sign sha, tar_content
+        # convert the signature to Base64
+        signature_base64 = Base64.encode64(signature)
+
+        content = (format("%-100s", options[:keyname]) +
+                  format("%-20s", ARTIFACT_DIGEST_NAME) +
+                  format("%-370s", signature_base64)).gsub(" ", "\0").unpack("H*").pack("h*") + "#{tar_content}"
+
+        File.open(artifact_filename, "wb") do |f|
+          f.puts INSPEC_PROFILE_VERSION_2
+          f.puts "Use \"inspec export\" to view this file"
+          f.write(content)
+        end
+        puts "Successfully generated #{artifact_filename}"
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def self.profile_verify(signed_profile_path)
+        file_to_verify = signed_profile_path
+        puts "Verifying #{file_to_verify}"
+
+        iaf_file = Inspec::IafFile.new(file_to_verify)
+        if iaf_file.valid?
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'"
+          puts "Profile is valid."
+          Inspec::UI.new.exit(:normal)
+        else
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'" if iaf_file.key_name
+          puts "Profile is invalid"
+          Inspec::UI.new.exit(:bad_signature)
+        end
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def read_profile_metadata(profile_path)
+        begin
+          p = Pathname.new(profile_path)
+          p = p.join("inspec.yml")
+          unless p.exist?
+            raise "#{profile_path} doesn't appear to be a valid #{PRODUCT_NAME} profile"
+          end
+
+          yaml = YAML.load_file(p.to_s)
+          yaml = yaml.to_hash
+
+          unless yaml.key? "name"
+            raise "Profile is invalid, name is not defined"
+          end
+
+          unless yaml.key? "version"
+            raise "Profile is invalid, version is not defined"
+          end
+        rescue => e
+          # rewrap it and pass it up to the CLI
+          $stderr.puts "Error reading profile metadata file #{e.message}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+
+        yaml
+      end
+
+      def write_profile_content_id(profile_path, profile_content_id)
+        p = Pathname.new(profile_path)
+        p = p.join("inspec.yml")
+        yaml = YAML.load_file(p.to_s)
+        existing_profile_content_id = yaml["profile_content_id"]
+
+        unless existing_profile_content_id.nil?
+          ui = Inspec::UI.new
+          ui.error("Cannot use --profile-content-id when profile_content_id already exists in metadata file.")
+          ui.exit(:usage_error)
+        end
+
+        lines = IO.readlines(p)
+        lines << "\nprofile_content_id: #{profile_content_id}\n"
+
+        File.open("#{p}", "w" ) do |f|
+          f.puts lines
+        end
+      end
+    end
+  end
+end

data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb

@@ -70,46 +70,37 @@ require "inspec/dist"
 # To extract the raw content from a .iaf:
 #        sed '1,/^$/d' foo.iaf
 
+#  inspec artifact is renamed to inspec sign
+
 module InspecPlugins
-  module Artifact
+  module Sign
     class CLI < Inspec.plugin(2, :cli_command)
       include Inspec::Dist
 
-      subcommand_desc "artifact SUBCOMMAND", "Manage #{PRODUCT_NAME} Artifacts"
+      subcommand_desc "sign SUBCOMMAND", "Manage #{PRODUCT_NAME} profile signing."
 
-      desc "generate", "Generate a RSA key pair for signing and verification"
+      desc "generate-keys", "Generate a RSA key pair for signing and verification"
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
       option :keydir, type: :string, default: "./",
         desc: "Directory to search for keys"
       def generate_keys
         puts "Generating keys"
-        InspecPlugins::Artifact::Base.keygen(options)
+        InspecPlugins::Sign::Base.keygen(options)
       end
 
-      desc "sign-profile", "Create a signed .iaf artifact"
-      option :profile, type: :string, required: true,
-        desc: "Path to profile directory"
+      desc "profile PATH", "sign the profile in PATH and generate .iaf artifact."
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
-      def sign_profile
-        InspecPlugins::Artifact::Base.profile_sign(options)
-      end
-
-      desc "verify-profile", "Verify a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to verify"
-      def verify_profile
-        InspecPlugins::Artifact::Base.profile_verify(options)
+      option :profile_content_id, type: :string,
+        desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file."
+      def profile(profile_path)
+        InspecPlugins::Sign::Base.profile_sign(profile_path, options)
       end
 
-      desc "install-profile", "Verify and install a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to install"
-      option :destdir, type: :string, required: true,
-        desc: "Installation directory"
-      def install_profile
-        InspecPlugins::Artifact::Base.profile_install(options)
+      desc "verify PATH", "Verify a signed profile .iaf artifact at given path."
+      def verify(signed_profile_path)
+        InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
       end
     end
   end

data/lib/plugins/inspec-sign/lib/inspec-sign.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Sign
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-sign'
+
+      cli_command :sign do
+        require_relative "inspec-sign/cli"
+        InspecPlugins::Sign::CLI
+      end
+    end
+  end
+end