inspec-core 6.8.24 → 7.0.95

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '06894dd5c2b09dac3432041d74b257a5b25dd00c9c0a2d623e7343e6a651e1b6'
-  data.tar.gz: 20592025afc13ecdcae95fcde514b8bc4b5855358e93dcef24365d15aa773eb1
+  metadata.gz: 2e160d7044fa022329cb438d770054bb63107b59f219030464c709f6b1dcda93
+  data.tar.gz: 1dc6673dc552f75cb9b8671b0a466feb2c818f069112fac69aa63b1de568ef54
 SHA512:
-  metadata.gz: 2d0a1749cfa6f3d1f517f31e5bc722f85ad5ecf8dd4d155df88afcc41c76c93ba21bba3749b534fd1515a724af17bedc706755606a4a3c109a655ef891bc0e0d
-  data.tar.gz: 2f0b14a4f79fad859d931a8d0427d88306beb44b7b4f8698910a053d383ebc05a28b9b440c7164cfd5f712d56ba08aeb35afa51b21ef1c5f157b4fb525dd2d3c
+  metadata.gz: a389860f421bec680c4db4462fc4cf5765073661cc1154f5fe57e823f7b4f33b10d1ecd22fb286d3a50cd467170645d460ba80b96515331bd2aec9eaa80d8579
+  data.tar.gz: 6133800736ed63493d37bca5b3727740b1a1ab7eadb9919ffc8b728f021604a9dd7bf1d1b388169566bc4e484b3fb2fc26845e05769f1dc2afa26f530fddf7a0

data/Gemfile

@@ -29,12 +29,12 @@ gem "ffi", ">= 1.15.5", "< 1.17.0"
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
 
-group :omnibus do
-  gem "rb-readline"
-  gem "appbundler"
-  gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
-  gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
-end
+# group :omnibus do
+#   gem "rb-readline"
+#   gem "appbundler"
+#   gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+#   gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+# end
 
 group :test do
   gem "chefstyle"
@@ -42,7 +42,7 @@ group :test do
   gem "json_schemer"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
-  gem "minitest", "5.15.0"
+  gem "minitest"
   gem "mocha"
   gem "nokogiri"
   gem "pry-byebug"
@@ -55,4 +55,4 @@ end
 
 group :deploy do
   gem "inquirer"
-end
+end

data/etc/deprecations.json

@@ -1,5 +1,5 @@
 {
-  "file_version": "1.0.0",
+  "file_version": "2.0.0",
   "unknown_group_action": "ignore",
   "groups": {
     "attrs_value_replaces_default": {
@@ -74,9 +74,9 @@
       "suffix": "This resource was removed in InSpec 4.0."
     },
     "core_resource_moved_to_rp": {
-      "action": "warn",
-      "suffix": "This resource will be moved to a separate resource pack. Additional details will be provided with the InSpec 7 release.",
-      "comment": "Deprecation notice for core resource which are getting moved to resource packs."
+      "action": "exit",
+      "suffix": "This resource has been moved to a separate gem. Please include the appropriate gem in your dependencies to continue using this resource.",
+      "comment": "Deprecation notice for core resources which are now distributed as gems. Update your profile dependencies accordingly."
     },
     "resource_iis_website": {
       "action": "exit",
@@ -131,5 +131,43 @@
       "action": "ignore",
       "prefix": "The `inspec json` command is deprecated in InSpec 5 and replaced with `inspec export` command."
     }
+  },
+  "fallback_resource_packs":{
+    "internal_fallback_test.+":{
+      "gem":"inspec-test-resources",
+      "message":"The internal_fallback_test resource is a test resource used to exercise InSpec's ability to fallback on gem resource packs."
+    },
+    "elasticsearch.*": {
+      "gem":"inspec-elasticsearch-resources",
+      "message":"The `inspec-elasticsearch-resources` allows testing of elasticsearch using Inspec."
+    },
+    "docker.+":{
+      "gem": "inspec-docker-resources",
+      "message": "The Inspec docker resources are moved out of InSpec core and will be installed as gem"
+    },
+    "ibmdb2.+":{
+      "gem": "inspec-ibmdb2-resources",
+      "message": "The Inspec ibmdb2 resources are moved out of InSpec core and will be installed as gem"
+    },
+    "mongodb.+":{
+      "gem": "inspec-mongodb-resources",
+      "message": "The Inspec mongodb resources are moved out of InSpec core and will be installed as gem"
+    },
+    "opa.+":{
+      "gem": "inspec-opa-resources",
+      "message": "The Inspec opa resources are moved out of InSpec core and will be installed as gem"
+    },
+    "podman.+":{
+      "gem": "inspec-podman-resources",
+      "message": "The Inspec podman resources are moved out of InSpec core and will be installed as gem"
+    },
+    "rabbitmq.+":{
+      "gem": "inspec-rabbitmq-resources",
+      "message": "The Inspec rabbitmq resources are moved out of InSpec core and will be installed as gem"
+    },
+    "sybase.+":{
+      "gem": "inspec-sybase-resources",
+      "message": "The Inspec sybase resources are moved out of InSpec core and will be installed as gem"
+    }
   }
 }

data/inspec-core.gemspec

@@ -35,11 +35,11 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "license-acceptance",       ">= 0.2.13", "< 3.0"
   # TODO: We should remove the thor pinning in next upcoming releases currently it's breaking our unit test in cli_args_test for aliases due to
   # recent changes made in thor library REF: https://github.com/rails/thor/releases/tag/v1.3.0 & https://github.com/rails/thor/pull/800
-  spec.add_dependency "thor",                     ">= 0.20", "< 1.3.0"
+  spec.add_dependency "thor",                     ">= 0.20", "< 1.5.0"
   spec.add_dependency "method_source",            ">= 0.8", "< 2.0"
-  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 3.0"
+  spec.add_dependency "rubyzip",                  ">= 1.2.2", "< 4.0"
   spec.add_dependency "rspec",                    ">= 3.9", "<= 3.14"
-  spec.add_dependency "rspec-its",                "~> 1.2"
+  spec.add_dependency "rspec-its",                ">= 1.2", "< 3.0"
   spec.add_dependency "pry",                      "~> 0.13"
   spec.add_dependency "hashie",                   ">= 3.4", "< 6.0"
   spec.add_dependency "mixlib-log",               "~> 3.0"
@@ -49,19 +49,26 @@ Source code obtained from the Chef GitHub repository is made available under Apa
   spec.add_dependency "faraday-follow_redirects", "~> 0.3"
   spec.add_dependency "tty-table",                "~> 0.10"
   spec.add_dependency "tty-prompt",               "~> 0.17"
-  spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
+  spec.add_dependency "tomlrb",                   ">= 1.3", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 
+  # Gem dependency needed with Ruby 3.4 upgrade
+  # TODO : Remove the dependency on mutex_m once the 'chef-licensing' gem is released with the fix
+  # spec.add_dependency "mutex_m",                  "~> 0.2.0"
+  spec.add_dependency "syslog",                   "~> 0.1"
+  spec.add_dependency "csv",                      "~> 3.0"
+  spec.add_dependency "ostruct",                  ">= 0.1", "< 0.7"
+
   # cookstyle support for inspec check
   # This was initially included in 'inspec.gemspec' to keep 'chef-client' lightweight.
   # However, it has been moved to 'inspec-core.gemspec' due to a dependency on the 'ast' gem,
   # which was causing a LoadError ('cannot load such file -- ast') for users/applications using 'inspec-core'.
   spec.add_dependency "cookstyle"
 
-  spec.add_dependency "train-core", ">= 3.11.0"
+  spec.add_dependency "train-core", "~> 3.13", ">= 3.13.4"
   # Minimum major version 1 is required for Chef licensing telemetry
-  spec.add_dependency "chef-licensing", ">= 1.0.2"
+  spec.add_dependency "chef-licensing", ">= 1.2.0"
 end

data/lib/inspec/archive/tar.rb

@@ -1,4 +1,5 @@
 require "rubygems/package" unless defined?(Gem::Package)
+require "rubygems/package/tar_writer" unless defined?(Gem::Package::TarWriter)
 
 module Inspec::Archive
   class TarArchiveGenerator

data/lib/inspec/backend.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "train"
 require "inspec/config"

data/lib/inspec/base_cli.rb

@@ -165,6 +165,16 @@ module Inspec
         desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
       option :podman_url, type: :string,
         desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
+      option :socks_proxy, type: :string,
+         desc: "SOCKS5H proxy URL to tunnel the WinRM connection (e.g., socks5h://proxy-host:1080)."
+      option :socks_user, type: :string,
+         desc: "Username for authenticating with the SOCKS5 proxy."
+      option :socks_password, type: :string, lazy_default: -1,
+         desc: "Password for authenticating with the SOCKS5 proxy."
+      option :kerberos_realm, type: :string,
+         desc: "Kerberos realm used for authentication."
+      option :kerberos_service, type: :string,
+         desc: "Kerberos service principal name (e.g., HTTP, HOST)."
     end
 
     def self.profile_options
@@ -370,7 +380,7 @@ module Inspec
     # get the log level
     # DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
     def get_log_level(level)
-      valid = %w{debug info warn error fatal}
+      valid = %w{trace debug info warn error fatal}
 
       if valid.include?(level)
         l = level
@@ -378,7 +388,7 @@ module Inspec
         l = "info"
       end
 
-      Logger.const_get(l.upcase)
+      Mixlib::Log.const_get(l.upcase)
     end
 
     def pretty_handle_exception(exception)
@@ -389,6 +399,9 @@ module Inspec
       when Inspec::InvalidProfileSignature
         $stderr.puts exception.message
         Inspec::UI.new.exit(:bad_signature)
+      when Inspec::Exceptions::GemDependencyNotFound
+        $stderr.puts exception.message
+        Inspec::UI.new.exit(:gem_dependency_not_found)
       when Inspec::Error
         $stderr.puts exception.message
         exit(1)

data/lib/inspec/cached_fetcher.rb

@@ -52,7 +52,19 @@ module Inspec
         fetch
       elsif cache.exists?(cache_key) && !cache.locked?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
-        [cache.prefered_entry_for(cache_key), false]
+        cache_value = cache.prefered_entry_for(cache_key)
+        if cache_value
+          [cache_value, false]
+        else
+          Inspec::Log.debug "Dependency does not exist in the cache for target #{target}"
+          cache_key_name = cache_key
+          if cache_key_name.start_with?("gem:")
+            # When cache for gem - meaning gemspec exists but gem does not exists then clearing up gemspec is required
+            # This logic enables the gem fetcher logic to work step by step again
+            Inspec::Log.debug "Clearing cached gemspec to fix dependency issue and enable fresh download."
+            FileUtils.rm_rf(cache.gemspec_path_for(cache_key))
+          end
+        end
       else
         begin
           Inspec::Log.debug "Dependency does not exist in the cache #{target}"
@@ -61,6 +73,7 @@ module Inspec
         rescue SystemExit => e
           exit_code = e.status || 1
           Inspec::Log.error "Error while creating cache for dependency ... #{e.message}"
+          # TODO: in the case of gem profile/resource pack dependency installs gone awry, this is the wrong thing to do!
           FileUtils.rm_rf(cache.base_path_for(fetcher.cache_key))
           exit(exit_code)
         ensure
@@ -72,6 +85,9 @@ module Inspec
     end
 
     def assert_cache_sanity!
+      # do not check cache sanity if the target is a gem or a resource pack
+      # which are known by a special prefix on their cache key or by having the :gem key
+      return if target.respond_to?(:key?) && target.key?(:gem)
       return unless target.respond_to?(:key?) && target.key?(:sha256)
 
       exception_message = <<~EOF

data/lib/inspec/cli.rb

@@ -1,4 +1,6 @@
 # Copyright 2015 Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "inspec/utils/deprecation/deprecator"
 require "inspec/dist"

data/lib/inspec/dependencies/cache.rb

@@ -16,6 +16,7 @@ module Inspec
   #
   class Cache
     attr_reader :path
+
     def initialize(path = nil)
       @path = path || File.join(Inspec.config_dir, "cache")
       FileUtils.mkdir_p(@path) unless File.directory?(@path)
@@ -45,6 +46,12 @@ module Inspec
     # For a given name and source_url, return true if the
     # profile exists in the Cache.
     #
+    # InSpec 7+ Special Magic for Gem-Based Resource Pack Profiles:
+    #   These "profiles" are installed as gems, and so are "cached"
+    #   by being installed as gems.
+    #     The magic is triggered by a special prefix of
+    #   the cache_key: gem: or gem_path:
+    #
     # @param [String] name
     # @param [String] source_url
     # @return [Boolean]
@@ -52,8 +59,18 @@ module Inspec
     def exists?(key)
       return false if key.nil? || key.empty?
 
-      path = base_path_for(key)
-      File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
+      if key.start_with?("gem:")
+        # check if the gem is installed in InSpec Config DIR or if it is present as cache in cache DIR
+        !gemspec_path_for(key).nil? || File.directory?(base_path_for(key))
+      elsif key.start_with?("gem_path:") # TODO: remove this as it will be redundant with the introduction of SHA256 key
+        # Gem installed as explicit path reference, as in testing / development
+        entry_point_path = key.sub(/^gem_path:/, "")
+        File.exist?(entry_point_path)
+      else
+        # Standard cache entry
+        path = base_path_for(key)
+        File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
+      end
     end
 
     #
@@ -67,8 +84,33 @@ module Inspec
     # @param [String] source_url
     # @return [String]
     #
-    def base_path_for(cache_key)
-      File.join(@path, cache_key)
+    def base_path_for(key)
+      if key.start_with?("gem:")
+        # fetch the Gem installed path and if the gem is not available in the installed DIR
+        # construct the cache path where it can be found
+        # At this point this path will be used both for writing and reading the gem cache
+        gemspec_path_for(key) || File.join(@path, key)
+
+      elsif key.start_with?("gem_path:")
+        # Gem installed as explicit path reference, as in testing / development
+        entry_point_path = key.sub(/^gem_path:/, "")
+        # We were given an explicit path like
+        # inspec-test-resources/lib/inspec-test-resources.rb
+        # go two directories up
+        parts = Pathname(entry_point_path).each_filename.to_a
+        File.join(parts.slice(0, parts.length - 2))
+      else
+        # Standard cache entry
+        File.join(@path, key)
+      end
+    end
+
+    def gemspec_path_for(key)
+      if key.start_with?("gem:")
+        (_, gem_name, version) = key.split(":")
+        loader = Inspec::Plugin::V2::Loader.new
+        loader.find_gemspec_directory(gem_name, version)
+      end
     end
 
     #
@@ -78,9 +120,7 @@ module Inspec
       locked = false
       path = base_path_for(key)
       # For archive there is no need to lock the directory so we skip those and return false for archive formatted cache
-      if File.directory?(path)
-        locked = File.exist?("#{path}/.lock")
-      end
+      locked = File.exist?("#{path}/.lock") if File.directory?(path)
       locked
     end
 

data/lib/inspec/dsl.rb

@@ -1,4 +1,7 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
+
 require "inspec/log"
 require "inspec/plugin/v2"
 require "inspec/utils/deprecated_cloud_resources_list"
@@ -39,20 +42,51 @@ module Inspec::DSL
     return unless backend
 
     begin
-      include DeprecatedCoreResourcesList
-      if CORE_RESOURCES_DEPRECATED.include? id
-        Inspec.deprecate(:core_resource_moved_to_rp, "The resource '#{id}' will not be part of the InSpec 7 core.")
-      end
       require "inspec/resources/#{id}"
     rescue LoadError => e
-      include DeprecatedCloudResourcesList
-      cloud_resource = id.start_with?("aws_") ? "aws" : "azure"
 
-      # Deprecated AWS and Azure resources in InSpec 5.
-      if CLOUD_RESOURCES_DEPRECATED.include? id
-        Inspec.deprecate(:"#{cloud_resource}_resources_in_resource_pack", "Resource '#{id}'")
+      # InSpec 7+ Fallback Support for Resource Packs
+      # Use Deprecator to lookup the matching gem
+      # if a gem matches, try to load the resource from the gem
+      gem_name = Inspec::Deprecation::Deprecator.new.match_gem_for_fallback_resource_name(id.to_s)
+      if gem_name
+        # Install if needed
+        cfg = Inspec::Config.cached
+        unless cfg.final_options[:auto_install_gems]
+          Inspec.deprecate(:core_resource_moved_to_rp, "The resource pack gem '#{gem_name}' is required for resource '#{id}' support (consider --auto-install-gems).")
+
+        end
+
+        Inspec::Plugin::V2::Installer.instance.ensure_installed gem_name
+
+        # Load the gem, add  gemspecs to the path, load any deps, load resource libraries into registry
+        # This is plugin API orthodoxy but is impossible to program
+        # Inspec::Plugin::V2::Registry.instance.find_activator(gem_name).activate
+        loader = Inspec::Plugin::V2::Loader.new
+
+        # 1. Activate gem and deps.
+        loader.activate_managed_gems_for_plugin(gem_name)
+
+        # 2. Load all libraries from the gem path
+        gem_path = loader.find_gem_directory(gem_name)
+        resources_path = File.join(gem_path, "lib", gem_name, "resources", "*.rb")
+        legacy_library_path = File.join(gem_path, "libraries", "*.rb")
+        Dir.glob([resources_path, legacy_library_path]).each do |resource_lib|
+          require resource_lib
+        end
+        # Resources now available in Inspec::Resource.registry
       else
-        raise LoadError, "#{e.message}"
+        # TODO: InSpec 7: Replace with Fallbacks for inspec-aws-resources and inspec-azure-resources
+        include DeprecatedCloudResourcesList
+        cloud_resource = id.start_with?("aws_") ? "aws" : "azure"
+
+        # Deprecated AWS and Azure resources in InSpec 5.
+        if CLOUD_RESOURCES_DEPRECATED.include? id
+          Inspec.deprecate(:"#{cloud_resource}_resources_in_resource_pack", "Resource '#{id}'")
+        else
+          # OK, give up entirely
+          raise LoadError, "#{e.message}"
+        end
       end
     end
 

data/lib/inspec/exceptions.rb

@@ -7,6 +7,7 @@ module Inspec
     class ProfileLoadFailed < StandardError; end
     class ResourceFailed < StandardError; end
     class ResourceSkipped < StandardError; end
+    class GemDependencyNotFound < StandardError; end
     class SecretsBackendNotFound < ArgumentError; end
     class ProfileValidationKeyNotFound < ArgumentError; end
     class ProfileSigningKeyNotFound < ArgumentError; end

data/lib/inspec/fetcher/gem.rb

@@ -0,0 +1,117 @@
+require "inspec/plugin/v2/installer"
+
+module Inspec::Fetcher
+  class Gem < Inspec.fetcher(1)
+    name "gem"
+    priority 0.5 # TODO: verify value
+    # Priority is used for setting precedence of fetchers. And registry plugin(v1) decides which fetcher to use for loading profiles by using this priority
+    # Gem fetcher's priority should be lowest because gem profiles are only executables via inspec metadata
+
+    def self.resolve(target)
+      resolve_from_hash(target) if target.is_a?(Hash) && target.key?(:gem)
+    end
+
+    def self.resolve_from_hash(target)
+      return unless target.key?(:gem)
+
+      new(target)
+    end
+
+    def initialize(target, opts = {})
+      @target = target
+      @gem_name = target[:gem]
+      @version = target[:version] # optional
+      @source = target[:source] # optional
+      @gem_path = target[:path] # optional, sets local path installation mode
+      @backend = opts[:backend]
+      @archive_shasum = nil
+    end
+
+    def fetch(path)
+      plugin_installer = Inspec::Plugin::V2::Installer.instance
+
+      Inspec::Log.debug("GemFetcher fetching #{@gem_name} v" + (@version || "ANY"))
+
+      have_plugin = if @version
+                      plugin_installer.plugin_version_installed?(@gem_name, @version)
+                    else
+                      plugin_installer.plugin_installed?(@gem_name)
+                    end
+
+      unless have_plugin
+        # Install
+        # TODO - error handling?
+        Inspec::Log.debug("GemFetcher - install request for #{@gem_name}")
+        if @gem_path
+          # No version permitted
+          plugin_installer.install(@gem_name, gem: @gem_name, path: @gem_path)
+        else
+          # Passing an extra gem argument to enable detecting gem based plugins
+          plugin_installer.install(@gem_name, version: @version, source: @source, gem: @gem_name)
+        end
+      end
+
+      # Usually this `path` is cache path
+      # We want to copy installed gem to cache path so it can be vendored
+      # and read again as a cache
+      if path
+        loader = Inspec::Plugin::V2::Loader.new
+        gem_dir_path = loader.find_gem_directory(@gem_name, @version)
+        if gem_dir_path
+          # Cache the gem file
+          FileUtils.mkdir_p(path)
+          FileUtils.cp_r(gem_dir_path, path)
+          @archive_path = path
+        else
+          @archive_path = @target
+        end
+      end
+
+      # Should the plugin activate? No, it should only be "fetched" (installed)
+      # Activation would load resource libararies and would effectively execute the profile
+
+      @target
+    end
+
+    attr_reader :archive_path
+
+    def writable?
+      # Gem based profile is not writable because it is not cached in lockfile
+      false
+    end
+
+    def cache_key
+      # This special value is interpreted by Inspec::Cache.exists?
+      # SHA256 on gem:gemname:version
+      # SHA256 on gem_path:/filesystem/path/entrypoint.rb
+      @cache_key ||= begin
+        key = if @gem_path
+                "gem_path:#{@gem_path}"
+              else
+                "gem:#{@gem_name}:#{gem_version}"
+              end
+        OpenSSL::Digest.hexdigest("SHA256", key)
+      end
+    end
+
+    # The intent here is to provide a signature that would change with the content of the profile.
+    # In the case of gems, for released gems,  "name-version" should suffice.
+    # For development gems specified by path, the're ever-changing anyway, so just give the path.
+    # In eith case, that string is in fact just the cache key.
+    def sha256
+      cache_key
+    end
+
+    def resolved_source
+      h = { gem: @gem_name, version: gem_version, gem_path: @gem_path }
+      h[:sha256] = sha256
+      h
+    end
+
+    private
+
+    def gem_version
+      @version || Inspec::Plugin::V2::Loader.find_gemspec_of(@gem_name)&.version&.to_s
+    end
+  end
+end

data/lib/inspec/fetcher/git.rb

@@ -68,11 +68,21 @@ module Inspec::Fetcher
       else
         Dir.mktmpdir do |working_dir|
           checkout(working_dir)
+          if git_only_or_empty?(working_dir)
+            # If the temporary working directory is empty after checkout,
+            # this means the git repository did not contain any files (or the checkout failed).
+            # In this case, remove the destination directory to avoid
+            # leaving an empty or invalid profile directory.
+            if Dir.exist?(destination_path)
+              FileUtils.rm_rf(destination_path)
+            end
+            raise Inspec::FetcherFailure, "Profile git dependency failed for #{@remote_url} - no files found in the repository."
+          end
           if @relative_path
             perform_relative_path_fetch(destination_path, working_dir)
           else
             Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
-                              "Moving checkout to #{destination_path}")
+                                "Moving checkout to #{destination_path}")
             FileUtils.cp_r(working_dir + "/.", destination_path)
           end
         end
@@ -80,6 +90,16 @@ module Inspec::Fetcher
       @repo_directory
     end
 
+    def git_only_or_empty?(dir)
+      return false unless Dir.exist?(dir)
+
+      children = Dir.children(dir)
+      # Return true if:
+      # - directory is completely empty
+      # - or it contains only one entry: '.git'
+      children.empty? || (children - [".git"]).empty?
+    end
+
     def perform_relative_path_fetch(destination_path, working_dir)
       Inspec::Log.debug("Checkout of #{resolved_ref.nil? ? @remote_url : resolved_ref} successful. " \
                         "Moving #{@relative_path} to #{destination_path}")

data/lib/inspec/fetcher/local.rb

@@ -10,7 +10,7 @@ module Inspec::Fetcher
       if target.is_a?(String)
         local_path = resolve_from_string(target)
         new(local_path) if local_path
-      elsif target.is_a?(Hash)
+      elsif target.is_a?(Hash) && !target.key?(:gem)
         local_path = resolve_from_hash(target)
         new(local_path, target) if local_path
       end

data/lib/inspec/fetcher.rb

@@ -43,4 +43,5 @@ end
 require "inspec/fetcher/local"
 require "inspec/fetcher/url"
 require "inspec/fetcher/git"
+require "inspec/fetcher/gem"
 require "plugins/inspec-compliance/lib/inspec-compliance/api"