inspec-docker-resources 7.1.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 42403a609f1a1f69bef2e78bfd0ccd689572c3e1f97410bdd2a255edb25deb89
+  data.tar.gz: 806499cbed562f28c5797e2496ed2e816ab90fc24e34011791bcefacd0fae3a7
+SHA512:
+  metadata.gz: 7e5690271746f476fb40504d742924f93c5f5d3460ca74a9168f4270fe813e73bd33d818e5907ad0875319e3a0ec49f86a4625fe9f3b5351481f2b577ac95c9b
+  data.tar.gz: a5c00db497287e910beb8ffa0a6a37382dc8ba5799b1cba2253e0994cdf3f7d78d43b533be27e6bd50b590b0afebe4c41d40cc4fd4f0af520d5f6784c5b9ac72

data/Gemfile

@@ -0,0 +1,14 @@
+source "https://rubygems.org"
+gem "inspec-bin", git: "https://github.com/inspec/inspec", branch: "inspec-7"
+gem "inspec", git: "https://github.com/inspec/inspec", branch: "inspec-7"
+
+gemspec
+
+group :test do
+  gem "mocha"
+  gem "minitest"
+  gem "mocha"
+  gem "chefstyle"
+  gem "simplecov"
+  gem "simplecov_json_formatter"
+end

data/README.md

@@ -0,0 +1,16 @@
+# inspec-docker-resources
+
+Docker InSpec Resources in a Gem
+
+This repository contains the InSpec Docker resources, formerly contained in InSpec Core. In InSpec 7+, these resources are available in a gem, `inspec-docker-resources`.
+
+## Usage
+
+To use this resource pack, add this dependency to your inspec.yml :
+
+```yaml
+depends:
+ - name: inspec-docker-resources
+    gem: inspec-docker-resources
+```
+

data/inspec-docker-resources.gemspec

@@ -0,0 +1,44 @@
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "inspec-docker-resources/version"
+
+Gem::Specification.new do |spec|
+  # Importantly, all InSpec plugins must be prefixed with `inspec-` (most
+  # plugins) or `train-` (plugins which add new connectivity features).
+  spec.name          = "inspec-docker-resources"
+
+  # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
+  spec.version       = InspecPlugins::DockerResources::VERSION
+  spec.authors       = ["InSpec Core Maintainers"]
+  spec.email         = ["inspec@progress.com"]
+  spec.summary       = "Docker InSpec Resources in a Gem"
+  spec.description   = "Contains InSpec 7.0+ resources fo interacting with Docker Desktop."
+  spec.homepage      = "https://github.com/inspec/inspec-docker-resources"
+  spec.license       = "Apache-2.0"
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  spec.files = %w{
+    README.md inspec-docker-resources.gemspec Gemfile inspec.yml
+  } + Dir.glob(
+    "lib/**/*", File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 3.1.0"
+
+  # If you rely on any other gems, list them here with any constraints.
+  # This is how `inspec plugin install` is able to manage your dependencies.
+  # For example, perhaps you are writing a thing that talks to AWS, and you
+  # want to ensure you have `aws-sdk` in a certain version.
+
+  # This plugin uses InSpec 7 Resource Pack Plugins
+  spec.add_dependency "inspec-core", ">= 7.0"
+end

data/inspec.yml

@@ -0,0 +1,10 @@
+name: inspec-docker-resources
+title: InSpec Docker Resources 
+maintainer: InSpec Core Maintainers
+copyright: Progress Software Corporation
+copyright_email: inspec@progress.com
+license: Apache-2.0
+summary: Docker InSpec Resources in a Gem
+version: 7.1.5
+supports:
+  platform: os

data/lib/inspec-docker-resources/plugin.rb

@@ -0,0 +1,42 @@
+# Plugin Definition file
+# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
+# are included in this plugin, and provide activator that will load them as needed.
+
+# It is important that this file load successfully and *quickly*.
+# Your plugin's functionality may never be used on this InSpec run; so we keep things
+# fast and light by only loading heavy things when they are needed.
+
+# Presumably this is light
+require "inspec-docker-resources/version"
+
+# The InspecPlugins namespace is where all plugins should declare themselves.
+# The "Inspec" capitalization is used throughout the InSpec source code; yes, it's
+# strange.
+module InspecPlugins
+  # Pick a reasonable namespace here for your plugin. A reasonable choice
+  # would be the CamelCase version of your plugin gem name.
+  # inspec-test-resources => TestResources
+  module DockerResources
+    # This simple class handles the plugin definition, so calling it simply Plugin is OK.
+    #   Inspec.plugin returns various Classes, intended to be superclasses for various
+    # plugin components. Here, the one-arg form gives you the Plugin Definition superclass,
+    # which mainly gives you access to the activator / plugin_type DSL.
+    #   The number '2' says you are asking for version 2 of the plugin API. If there are
+    # future versions, InSpec promises plugin API v2 will work for at least two more InSpec
+    # major versions.
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :"inspec-docker-resources"
+
+      # Define a new Resource Pack.
+      resource_pack :"inspec-docker-resources" do
+        # This file will load the resources implicitly via the superclass
+        require "inspec-docker-resources/resource_pack"
+
+        # Having loaded our functionality, return a class that represents the plugin.
+        # Reserved for future use.
+        InspecPlugins::DockerResources::ResourcePack
+      end
+    end
+  end
+end

data/lib/inspec-docker-resources/resource_pack.rb

@@ -0,0 +1,15 @@
+require "inspec/resource"
+
+module InspecPlugins::DockerResources
+  # This class will provide the actual CLI implementation.
+  # Its superclass is provided by another call to Inspec.plugin,
+  # this time with two args.  The first arg specifies we are requesting
+  # version 2 of the Plugins API.  The second says we are making a Resource
+  # Pack plugin component, so please make available any DSL needed
+  # for that.
+  class ResourcePack < Inspec.plugin(2, :resource_pack)
+    # TBD
+    # load_timing :early  <-- isn't that implicit in the rewuire statements
+    # train relationship declarations?  <-- that should be in the gemspec
+  end
+end

data/lib/inspec-docker-resources/resources/docker.rb

@@ -0,0 +1,272 @@
+#
+# Copyright 2017, Christoph Hartmann
+#
+
+require "inspec/resources/command"
+require "inspec/utils/filter"
+require "hashie/mash"
+
+class DockerContainerFilter
+  # use filtertable for containers
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:commands, field: "command")
+    .register_column(:ids,            field: "id")
+    .register_column(:images,         field: "image")
+    .register_column(:labels,         field: "labels", style: :simple)
+    .register_column(:local_volumes,  field: "localvolumes")
+    .register_column(:mounts,         field: "mounts")
+    .register_column(:names,          field: "names")
+    .register_column(:networks,       field: "networks")
+    .register_column(:ports,          field: "ports")
+    .register_column(:running_for,    field: "runningfor")
+    .register_column(:sizes,          field: "size")
+    .register_column(:status,         field: "status")
+    .register_custom_matcher(:running?) do |x|
+      x.where { status.downcase.start_with?("up") }
+    end
+  filter.install_filter_methods_on_resource(self, :containers)
+
+  attr_reader :containers
+  def initialize(containers)
+    @containers = containers
+  end
+end
+
+class DockerImageFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:ids, field: "id")
+    .register_column(:repositories,  field: "repository")
+    .register_column(:tags,          field: "tag")
+    .register_column(:sizes,         field: "size")
+    .register_column(:digests,       field: "digest")
+    .register_column(:created,       field: "createdat")
+    .register_column(:created_since, field: "createdsize")
+  filter.install_filter_methods_on_resource(self, :images)
+
+  attr_reader :images
+  def initialize(images)
+    @images = images
+  end
+end
+
+class DockerPluginFilter
+  filter = FilterTable.create
+  filter.add(:ids, field: "id")
+    .add(:names,    field: "name")
+    .add(:versions, field: "version")
+    .add(:enabled,  field: "enabled")
+  filter.connect(self, :plugins)
+
+  attr_reader :plugins
+  def initialize(plugins)
+    @plugins = plugins
+  end
+end
+
+class DockerServiceFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:ids, field: "id")
+    .register_column(:names,    field: "name")
+    .register_column(:modes,    field: "mode")
+    .register_column(:replicas, field: "replicas")
+    .register_column(:images,   field: "image")
+    .register_column(:ports,    field: "ports")
+  filter.install_filter_methods_on_resource(self, :services)
+
+  attr_reader :services
+  def initialize(services)
+    @services = services
+  end
+end
+
+# This resource helps to parse information from the docker host
+# For compatability with Serverspec we also offer the following resouses:
+# - docker_container
+# - docker_image
+class Docker < Inspec.resource(1)
+  name "docker"
+  supports platform: "unix"
+  desc "
+    A resource to retrieve information about docker
+  "
+
+  example <<~EXAMPLE
+    describe docker.containers do
+      its('images') { should_not include 'u12:latest' }
+    end
+
+    describe docker.images do
+      its('repositories') { should_not include 'inssecure_image' }
+    end
+
+    describe docker.plugins.where { name == 'rexray/ebs' } do
+      it { should exist }
+    end
+
+    describe docker.services do
+      its('images') { should_not include 'inssecure_image' }
+    end
+
+    describe docker.version do
+      its('Server.Version') { should cmp >= '1.12'}
+      its('Client.Version') { should cmp >= '1.12'}
+    end
+
+    describe docker.object(id) do
+      its('Configuration.Path') { should eq 'value' }
+    end
+
+    docker.containers.ids.each do |id|
+      # call docker inspect for a specific container id
+      describe docker.object(id) do
+        its(%w(HostConfig Privileged)) { should cmp false }
+        its(%w(HostConfig Privileged)) { should_not cmp true }
+      end
+    end
+  EXAMPLE
+
+  def containers
+    DockerContainerFilter.new(parse_containers)
+  end
+
+  def images
+    DockerImageFilter.new(parse_images)
+  end
+
+  def plugins
+    DockerPluginFilter.new(parse_plugins)
+  end
+
+  def services
+    DockerServiceFilter.new(parse_services)
+  end
+
+  def version
+    return @version if defined?(@version)
+
+    data = {}
+    cmd = inspec.command("docker version --format '{{ json . }}'")
+    data = JSON.parse(cmd.stdout) if cmd.exit_status == 0
+    @version = Hashie::Mash.new(data)
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  def info
+    return @info if defined?(@info)
+
+    data = {}
+    # docke info format is only supported for Docker 17.03+
+    cmd = inspec.command("docker info --format '{{ json . }}'")
+    data = JSON.parse(cmd.stdout) if cmd.exit_status == 0
+    @info = Hashie::Mash.new(data)
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  # returns information about docker objects
+  def object(id)
+    return @inspect if defined?(@inspect)
+
+    data = JSON.parse(inspec.command("docker inspect #{id}").stdout)
+    data = data[0] if data.is_a?(Array)
+    @inspect = Hashie::Mash.new(data)
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  def to_s
+    "Docker Host"
+  end
+
+  private
+
+  def parse_json_command(labels, subcommand)
+    # build command
+    format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
+    raw = inspec.command("docker #{subcommand} --format '{#{format.join(", ")}}'").stdout
+    output = []
+    # since docker is not outputting valid json, we need to parse each row
+    raw.each_line do |entry|
+      # convert all keys to lower_case to work well with ruby and filter table
+      row = JSON.parse(entry).map do |key, value|
+        [key.downcase, value]
+      end.to_h
+
+      # ensure all keys are there
+      row = ensure_keys(row, labels)
+
+      # strip off any linked container names
+      # Depending on how it was linked, the actual container name may come before
+      # or after the link information, so we'll just look for the first name that
+      # does not include a slash since that is not a valid character in a container name
+      if row["names"]
+        row["names"] = row["names"].split(",").find { |c| !c.include?("/") }
+      end
+
+      # Split labels on ',' or set to empty array
+      # Allows for `docker.containers.where { labels.include?('app=redis') }`
+      row["labels"] = row.key?("labels") ? row["labels"].split(",") : []
+
+      output.push(row)
+    end
+
+    output
+  rescue JSON::ParserError => _e
+    warn "Could not parse `docker #{subcommand}` output"
+    []
+  end
+
+  def parse_containers
+    # @see https://github.com/moby/moby/issues/20625, works for docker 1.13+
+    # raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
+    # therefore we stick with older approach
+    labels = %w{Command CreatedAt ID Image Labels Mounts Names Ports RunningFor Size Status}
+
+    # Networks LocalVolumes work with 1.13+ only
+    if !version.empty? && Gem::Version.new(version["Client"]["Version"]) >= Gem::Version.new("1.13")
+      labels.push("Networks")
+      labels.push("LocalVolumes")
+    end
+    parse_json_command(labels, "ps -a --no-trunc")
+  end
+
+  def parse_services
+    parse_json_command(%w{ID Name Mode Replicas Image Ports}, "service ls")
+  end
+
+  def ensure_keys(entry, labels)
+    labels.each do |key|
+      entry[key.downcase] = nil unless entry.key?(key.downcase)
+    end
+    entry
+  end
+
+  def parse_images
+    # docker does not support the `json .` function here, therefore we need to emulate that behavior.
+    raw_images = inspec.command('docker images -a --no-trunc --format \'{ "id": {{json .ID}}, "repository": {{json .Repository}}, "tag": {{json .Tag}}, "size": {{json .Size}}, "digest": {{json .Digest}}, "createdat": {{json .CreatedAt}}, "createdsize": {{json .CreatedSince}} }\'').stdout
+    c_images = []
+    raw_images.each_line do |entry|
+      c_images.push(JSON.parse(entry))
+    end
+    c_images
+  rescue JSON::ParserError => _e
+    warn "Could not parse `docker images` output"
+    []
+  end
+
+  def parse_plugins
+    plugins = inspec.command('docker plugin ls --format \'{"id": {{json .ID}}, "name": "{{ with split .Name ":"}}{{index . 0}}{{end}}", "version": "{{ with split .Name ":"}}{{index . 1}}{{end}}", "enabled": {{json .Enabled}} }\'').stdout
+    c_plugins = []
+    plugins.each_line do |entry|
+      c_plugins.push(JSON.parse(entry))
+    end
+    c_plugins
+  rescue JSON::ParserError => _e
+    warn "Could not parse `docker plugin ls` output"
+    []
+  end
+end

data/lib/inspec-docker-resources/resources/docker_container.rb

@@ -0,0 +1,114 @@
+#
+# Copyright 2017, Christoph Hartmann
+
+require "inspec-docker-resources/resources/docker"
+require "inspec-docker-resources/resources/docker_object"
+
+class DockerContainer < Inspec.resource(1)
+  include DockerObject
+
+  name "docker_container"
+  supports platform: "unix"
+  desc ""
+  example <<~EXAMPLE
+    describe docker_container('an-echo-server') do
+      it { should exist }
+      it { should be_running }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'busybox:latest' }
+      its('repo') { should eq 'busybox' }
+      its('tag') { should eq 'latest' }
+      its('ports') { should eq [] }
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+      its('labels') { should include 'app=example' }
+    end
+
+    describe docker_container(id: 'e2c52a183358') do
+      it { should exist }
+      it { should be_running }
+    end
+  EXAMPLE
+
+  def initialize(opts = {})
+    # if a string is provided, we expect it is the name
+    if opts.is_a?(String)
+      @opts = { name: opts }
+    else
+      @opts = opts
+    end
+  end
+
+  def running?
+    status.downcase.start_with?("up") if object_info.entries.length == 1
+  end
+
+  # has_volume? matcher checks if the volume specified in source path of host is mounted in destination path of docker
+  def has_volume?(destination, source)
+    # volume_info is the hash which contains the low-level information about the container
+    # if Mounts key is not present or is nil; raise exception
+    raise Inspec::Exceptions::ResourceFailed, "Could not find any mounted volumes for your container" unless volume_info.Mounts[0]
+
+    # Iterate through the list of mounted volumes and check if it matches with the given destination and source
+    # is_mounted flag is used to handle to return explict boolean values of true or false
+    is_mounted = false
+    volume_info.Mounts.detect { |mount| is_mounted = mount.Destination == destination && mount.Source == source }
+    is_mounted
+  end
+
+  def status
+    object_info.status[0] if object_info.entries.length == 1
+  end
+
+  def labels
+    object_info.labels
+  end
+
+  def ports
+    object_info.ports[0] if object_info.entries.length == 1
+  end
+
+  def command
+    return unless object_info.entries.length == 1
+
+    cmd = object_info.commands[0]
+    cmd.slice(1, cmd.length - 2)
+  end
+
+  def image
+    object_info.images[0] if object_info.entries.length == 1
+  end
+
+  def repo
+    parse_components_from_image(image)[:repo] if object_info.entries.size == 1
+  end
+
+  def tag
+    parse_components_from_image(image)[:tag] if object_info.entries.size == 1
+  end
+
+  def to_s
+    name = @opts[:name] || @opts[:id]
+    "Docker Container #{name}"
+  end
+
+  def resource_id
+    object_info.ids[0] || @opts[:id] || @opts[:name] || ""
+  end
+
+  private
+
+  def object_info
+    return @info if defined?(@info)
+
+    opts = @opts
+    @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
+  end
+
+  # volume_info returns the low-level information obtained on docker inspect [container_name/id]
+  def volume_info
+    return @mount_info if defined?(@mount_info)
+
+    # Check for either docker inspect [container_name] or docker inspect [container_id]
+    @mount_info = inspec.docker.object(@opts[:name] || @opts[:id])
+  end
+end

data/lib/inspec-docker-resources/resources/docker_image.rb

@@ -0,0 +1,139 @@
+#
+# Copyright 2017, Christoph Hartmann
+
+require "inspec-docker-resources/resources/docker"
+require "inspec-docker-resources/resources/docker_object"
+
+class DockerImage < Inspec.resource(1)
+  include DockerObject
+
+  name "docker_image"
+  supports platform: "unix"
+  desc ""
+  example <<~EXAMPLE
+    describe docker_image('alpine:latest') do
+      it { should exist }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'alpine:latest' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+    describe docker_image('alpine:latest') do
+      it { should exist }
+    end
+
+    describe docker_image(id: '4a415e366388') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  def initialize(opts = {})
+    # do sanitizion of input values
+    o = opts.dup
+    o = { image: opts } if opts.is_a?(String)
+    @opts = sanitize_options(o)
+  end
+
+  def image
+    "#{repo}:#{tag}" if object_info.entries.size == 1
+  end
+
+  def repo
+    object_info.repositories[0] if object_info.entries.size == 1
+  end
+
+  def tag
+    object_info.tags[0] if object_info.entries.size == 1
+  end
+
+  # method_missing handles when hash_keys are invoked to check information obtained on docker inspect [image_name]
+  def method_missing(*hash_keys)
+    # User can test the low-level inspect information in three ways:
+    # Way 1: Serverspec style: its(['Config.Cmd']) { should include some_value }
+    #        here, the value for hash_keys recieved is [:[], "Config.Cmd"]
+    # Way 2: InSpec style: its(['Config','Cmd']) { should include some_value }
+    #        here, the value for hash_keys recieved is [:[], "Config", "Cmd"]
+    # Way 3: Mix of both: its(['GraphDriver.Data','MergedDir']) { should include some_value }
+    #        here, the value for hash_keys recieved is [:[], "GraphDriver.Data", "MergedDir"]
+
+    # hash_keys are passed to this method to evaluate the value
+    image_hash_inspection(hash_keys)
+  end
+
+  # inspection property allows to test any of the hash key-value pairs as part of the image_inspect_info
+  def inspection
+    image_inspect_info
+  end
+
+  def to_s
+    img = @opts[:image] || @opts[:id]
+    "Docker Image #{img}"
+  end
+
+  def resource_id
+    object_info.ids[0] || @opts[:id] || @opts[:image] || ""
+  end
+
+  private
+
+  def sanitize_options(opts)
+    opts.merge!(parse_components_from_image(opts[:image]))
+
+    # assume a "latest" tag if we don't have one
+    opts[:tag] ||= "latest"
+
+    # if the ID isn't nil and doesn't contain a hash indicator (indicated by the presence
+    # of a colon, which separates the indicator from the actual hash), we assume it's sha256.
+    opts[:id] = "sha256:" + opts[:id] unless opts[:id].nil? || opts[:id].include?(":")
+
+    # Assemble/reassemble the image from the repo and tag
+    opts[:image] = "#{opts[:repo]}:#{opts[:tag]}" unless opts[:repo].nil?
+
+    # return the santized opts back to the caller
+    opts
+  end
+
+  def object_info
+    return @info if defined?(@info)
+
+    opts = @opts
+    @info = inspec.docker.images.where do
+      (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
+    end
+  end
+
+  # image_inspect_info returns the complete inspect hash_values of the image
+  def image_inspect_info
+    return @inspect_info if defined?(@inspect_info)
+
+    @inspect_info = inspec.docker.object(@opts[:image] || (!@opts[:id].nil? && @opts[:id]))
+  end
+
+  # image_hash_inspection formats the input hash_keys and checks if any value exists for such keys in @inspect_info(image_inspect_info)
+  def image_hash_inspection(hash_keys)
+    # The hash_keys recieved are in three formats as mentioned in method_missing
+    # The hash_keys recieved must be in array format [] and the zeroth index must be :[]
+    # Check for the conditions and remove the zeroth element from the hash_keys
+
+    hash_keys.shift if hash_keys.is_a?(Array) && hash_keys[0] == :[]
+
+    # When received hash_keys in Serverspec style or mix of both
+    # The hash_keys are to be splitted at '.' (dot) and flatten it so that it doesn't become array of arrays
+    # After splitting and flattening is done, hash_keys is now an array with individual keys
+    hash_keys = hash_keys.map { |key| key.split(".") }.flatten
+
+    # image_inspect_info returns the complete inspect hash_values of the image
+    # dig() finds the nested value specified by the sequence of the key object by calling dig at each step.
+    # hash_keys is the key object. If one of the key is bad, value will be nil.
+    hash_value = image_inspect_info.dig(*hash_keys)
+
+    # If one of the key is bad, hash_value will be nil, so raise exception which throws it in rescue block
+    # else return hash_value
+    raise Inspec::Exceptions::ResourceFailed if hash_value.nil?
+
+    hash_value
+  rescue
+    raise Inspec::Exceptions::ResourceFailed, "#{hash_keys.join(".")} is not a valid key for your image or has nil value."
+  end
+end

data/lib/inspec-docker-resources/resources/docker_object.rb

@@ -0,0 +1,52 @@
+#
+# Copyright 2017, Christoph Hartmann
+#
+
+module DockerObject
+  def exist?
+    object_info.exists?
+  end
+
+  def id
+    object_info.ids[0] if object_info.entries.size == 1
+  end
+
+  private
+
+  def parse_components_from_image(image_string)
+    # if the user did not supply an image string, they likely supplied individual
+    # option parameters, such as repo and tag. Return empty data back to the caller.
+    return {} if image_string.nil?
+
+    first_colon = image_string.index(":") || -1
+    first_slash = image_string.index("/") || -1
+
+    if image_string.count(":") == 2
+      # If there are two colons in the image string, it contains a repo-with-port and a tag.
+      # example: localhost:5000/chef/inspec:1.46.3
+      partitioned_string = image_string.rpartition(":")
+      repo = partitioned_string.first
+      tag = partitioned_string.last
+      image_name = repo.split("/")[1..-1].join
+    elsif image_string.count(":") == 1 && first_colon < first_slash
+      # If there's one colon in the image string, and it comes before a forward-slash,
+      # it contains a repo-with-port but no tag.
+      # example: localhost:5000/ubuntu
+      repo = image_string
+      tag = nil
+      image_name = repo.split("/")[1..-1].join
+    else
+      # If there's one colon in the image string and it doesn't preceed a slash, or if
+      # there is no colon at all, then it separates the repo from the tag, if there is a tag.
+      # example: chef/inspec:1.46.3
+      # example: chef/inspec
+      # example: ubuntu:14.04
+      repo, tag = image_string.split(":")
+      image_name = repo
+    end
+
+    # return the repo, image_name and tag parsed from the string, which can be merged into
+    # the rest of the user-supplied options
+    { repo: repo, image_name: image_name, tag: tag }
+  end
+end

data/lib/inspec-docker-resources/resources/docker_plugin.rb

@@ -0,0 +1,66 @@
+require "inspec-docker-resources/resources/docker"
+
+class DockerPlugin < Inspec.resource(1)
+  name "docker_plugin"
+  supports platform: "unix"
+  desc "Retrieves info about docker plugins"
+  example <<~EXAMPLE
+    describe docker_plugin('rexray/ebs') do
+      it { should exist }
+      its('id') { should_not eq '0ac30b93ad40' }
+      its('version') { should eq '0.11.1' }
+      it { should be_enabled }
+    end
+
+    describe docker_plugin('alpine:latest') do
+      it { should exist }
+    end
+
+    describe docker_plugin(id: '4a415e366388') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  def initialize(opts = {})
+    # do sanitizion of input values
+    o = opts.dup
+    o = { name: opts } if opts.is_a?(String)
+    @opts = o
+  end
+
+  def exist?
+    object_info.entries.size == 1
+  end
+
+  def enabled?
+    object_info.enabled[0]
+  end
+
+  def id
+    object_info.ids[0] if object_info.entries.size == 1
+  end
+
+  def version
+    object_info.versions[0] if object_info.entries.size == 1
+  end
+
+  def to_s
+    plugin = @opts[:name] || @opts[:id]
+    "Docker plugin #{plugin}"
+  end
+
+  def resource_id
+    id || @opts[:id] || @opts[:name] || ""
+  end
+
+  private
+
+  def object_info
+    return @info if defined?(@info)
+
+    opts = @opts
+    @info = inspec.docker.plugins.where do
+      (name == opts[:name]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id]))
+    end
+  end
+end

data/lib/inspec-docker-resources/resources/docker_service.rb

@@ -0,0 +1,93 @@
+#
+# Copyright 2017, Christoph Hartmann
+
+require "inspec-docker-resources/resources/docker"
+require "inspec-docker-resources/resources/docker_object"
+
+class DockerService < Inspec.resource(1)
+  include DockerObject
+
+  name "docker_service"
+  supports platform: "unix"
+  desc "Swarm-mode service"
+  example <<~EXAMPLE
+    describe docker_service('service1') do
+      it { should exist }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'alpine:latest' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+    describe docker_service(id: '4a415e366388') do
+      it { should exist }
+    end
+
+    describe docker_service(image: 'alpine:latest') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  def initialize(opts = {})
+    # do sanitizion of input values
+    o = opts.dup
+    o = { name: opts } if opts.is_a?(String)
+    @opts = sanitize_options(o)
+  end
+
+  def name
+    object_info.names[0] if object_info.entries.size == 1
+  end
+
+  def image
+    object_info.images[0] if object_info.entries.size == 1
+  end
+
+  def image_name
+    parse_components_from_image(image)[:image_name] if object_info.entries.size == 1
+  end
+
+  def repo
+    parse_components_from_image(image)[:repo] if object_info.entries.size == 1
+  end
+
+  def tag
+    parse_components_from_image(image)[:tag] if object_info.entries.size == 1
+  end
+
+  def mode
+    object_info.modes[0] if object_info.entries.size == 1
+  end
+
+  def replicas
+    object_info.replicas[0] if object_info.entries.size == 1
+  end
+
+  def ports
+    object_info.ports[0] if object_info.entries.size == 1
+  end
+
+  def to_s
+    service = @opts[:name] || @opts[:id]
+    "Docker Service #{service}"
+  end
+
+  def resource_id
+    object_info.ids[0] || @opts[:id] || @opts[:name] || ""
+  end
+
+  private
+
+  def sanitize_options(opts)
+    opts.merge(parse_components_from_image(opts[:image]))
+  end
+
+  def object_info
+    return @info if defined?(@info)
+
+    opts = @opts
+    @info = inspec.docker.services.where do
+      name == opts[:name] || image == opts[:image] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
+    end
+  end
+end

data/lib/inspec-docker-resources/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+# This file simply makes it easier for CI engines to update
+# the version stamp, and provide a clean way for the gemspec
+# to learn the current version.
+module InspecPlugins
+  module DockerResources
+    VERSION = "7.1.5"
+  end
+end

data/lib/inspec-docker-resources.rb

@@ -0,0 +1,14 @@
+# This file is known as the "entry point."
+# This is the file InSpec will try to load if it
+# thinks your plugin is installed.
+
+# The *only* thing this file should do is setup the
+# load path, then load the plugin definition file.
+
+# Next two lines simply add the path of the gem to the load path.
+# This is not needed when being loaded as a gem; but when doing
+# plugin development, you may need it.  Either way, it's harmless.
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "inspec-docker-resources/plugin"

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: inspec-docker-resources
+version: !ruby/object:Gem::Version
+  version: 7.1.5
+platform: ruby
+authors:
+- InSpec Core Maintainers
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2025-10-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: inspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+description: Contains InSpec 7.0+ resources fo interacting with Docker Desktop.
+email:
+- inspec@progress.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- inspec-docker-resources.gemspec
+- inspec.yml
+- lib/inspec-docker-resources.rb
+- lib/inspec-docker-resources/plugin.rb
+- lib/inspec-docker-resources/resource_pack.rb
+- lib/inspec-docker-resources/resources/.gitkeep
+- lib/inspec-docker-resources/resources/docker.rb
+- lib/inspec-docker-resources/resources/docker_container.rb
+- lib/inspec-docker-resources/resources/docker_image.rb
+- lib/inspec-docker-resources/resources/docker_object.rb
+- lib/inspec-docker-resources/resources/docker_plugin.rb
+- lib/inspec-docker-resources/resources/docker_service.rb
+- lib/inspec-docker-resources/version.rb
+homepage: https://github.com/inspec/inspec-docker-resources
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key: 
+specification_version: 4
+summary: Docker InSpec Resources in a Gem
+test_files: []