Skip to main content

InSpec CLI

[edit on GitHub]

Use the InSpec CLI to run tests and audits against targets using local, SSH, WinRM, or Docker connections.

archive

Archive a profile to tar.gz (default) or zip

Syntax

This subcommand has the following syntax:

inspec archive PATH

Options

This subcommand has additional options:

  • --airgap, --no-airgap Fallback to using local archives if fetching fails.
  • --ignore-errors, --no-ignore-errors Ignore profile warnings.
  • -o, --output=OUTPUT Save the archive to a path
  • --overwrite, --no-overwrite Overwrite existing archive.
  • --profiles-path=PROFILES_PATH Folder which contains referenced profiles.
  • --tar, --no-tar Generates a tar.gz archive.
  • --vendor-cache=VENDOR_CACHE Use the given path for caching dependencies. (default: ~/.inspec/cache)
  • --zip, --no-zip Generates a zip archive.

check

Verify all tests at the specified path

Syntax

This subcommand has the following syntax:

inspec check PATH

Options

This subcommand has additional options:

  • --format=FORMAT

  • --profiles-path=PROFILES_PATH Folder which contains referenced profiles.

  • --vendor-cache=VENDOR_CACHE Use the given path for caching dependencies. (default: ~/.inspec/cache)

detect

Detect the target os

Syntax

This subcommand has the following syntax:

inspec detect

Options

This subcommand has additional options:

  • -b, --backend=BACKEND Choose a backend: local, ssh, winrm, docker.

  • --bastion-host=BASTION_HOST Specifies the bastion host if applicable

  • --bastion-port=BASTION_PORT Specifies the bastion port if applicable

  • --bastion-user=BASTION_USER Specifies the bastion user if applicable

  • --config=CONFIG Read configuration from JSON file (- reads from stdin).

  • --enable-password=ENABLE_PASSWORD Password for enable mode on Cisco IOS devices.

  • --format=FORMAT

  • --host=HOST Specify a remote host which is tested.

  • --insecure, --no-insecure Disable SSL verification on select targets

  • -i, --key-files=one two three Login key or certificate file for a remote scan.

  • --password=PASSWORD Login password for a remote scan, if required.

  • --path=PATH Login path to use when connecting to the target (WinRM).

  • -p, --port=N Specify the login port for a remote scan.

  • --proxy-command=PROXY_COMMAND Specifies the command to use to connect to the server

  • --self-signed, --no-self-signed Allow remote scans with self-signed certificates (WinRM).

  • --shell, --no-shell Run scans in a subshell. Only activates on Unix.

  • --shell-command=SHELL_COMMAND Specify a particular shell to use.

  • --shell-options=SHELL_OPTIONS Additional shell options.

  • --ssl, --no-ssl Use SSL for transport layer encryption (WinRM).

  • --sudo, --no-sudo Run scans with sudo. Only activates on Unix and non-root user.

  • --sudo-command=SUDO_COMMAND Alternate command for sudo.

  • --sudo-options=SUDO_OPTIONS Additional sudo options for a remote scan.

  • --sudo-password=SUDO_PASSWORD Specify a sudo password, if it is required.

  • -t, --target=TARGET Simple targeting option using URIs, e.g. ssh://user:pass@host:port

  • --target-id=TARGET_ID Provide a ID which will be included on reports

  • --user=USER The login user for a remote scan.

  • --winrm-basic-auth-only, --no-winrm-basic-auth-only Whether to use basic authentication, defaults to false (WinRM).

  • --winrm-disable-sspi, --no-winrm-disable-sspi Whether to use disable sspi authentication, defaults to false (WinRM).

  • --winrm-transport=WINRM_TRANSPORT Specify which transport to use, defaults to negotiate (WinRM).

env

Output shell-appropriate completion configuration

Syntax

This subcommand has the following syntax:

inspec env

exec

Run all test files at the specified locations.

loads the given profile(s) and fetches their dependencies if needed. then connects to the target and executes any controls contained in the profiles. one or more reporters are used to generate output.

exit codes:
    0  normal exit, all tests passed
    1  usage or general error
    2  error in plugin system
    3  fatal deprecation encountered
  100  normal exit, at least one test failed
  101  normal exit, at least one test skipped but none failed
  172  chef license not accepted

below are some examples of using exec with different test locations:

automate:

inspec compliance login
inspec exec compliance://username/linux-baseline

supermarket:

inspec exec supermarket://username/linux-baseline

local profile (executes all tests in controls/):

inspec exec /path/to/profile

local single test (doesn’t allow inputs or custom resources)

inspec exec /path/to/a_test.rb

git via ssh

inspec exec git@github.com:dev-sec/linux-baseline.git

git via https (.git suffix is required):

inspec exec https://github.com/dev-sec/linux-baseline.git

private git via https (.git suffix is required):

inspec exec https://api_token@github.com/dev-sec/linux-baseline.git

private git via https and cached credentials (.git suffix is required):

git config credential.helper cache
git ls-remote https://github.com/dev-sec/linux-baseline.git
inspec exec https://github.com/dev-sec/linux-baseline.git

web hosted fileshare (also supports .zip):

inspec exec https://webserver/linux-baseline.tar.gz

web hosted fileshare with basic authentication (supports .zip):

inspec exec https://username:password@webserver/linux-baseline.tar.gz

Syntax

This subcommand has the following syntax:

inspec exec LOCATIONS

Options

This subcommand has additional options:

  • --attrs=one two three Legacy name for –input-file - deprecated.
  • -b, --backend=BACKEND Choose a backend: local, ssh, winrm, docker.
  • --backend-cache, --no-backend-cache Allow caching for backend command output. (default: true)
  • --bastion-host=BASTION_HOST Specifies the bastion host if applicable
  • --bastion-port=BASTION_PORT Specifies the bastion port if applicable
  • --bastion-user=BASTION_USER Specifies the bastion user if applicable
  • --config=CONFIG Read configuration from JSON file (- reads from stdin).
  • --controls=one two three A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
  • --create-lockfile, --no-create-lockfile Write out a lockfile based on this execution (unless one already exists)
  • --distinct-exit, --no-distinct-exit Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
  • --enable-password=ENABLE_PASSWORD Password for enable mode on Cisco IOS devices.
  • --host=HOST Specify a remote host which is tested.
  • --input=name1=value1 name2=value2 Specify one or more inputs directly on the command line, as –input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
  • --input-file=one two three Load one or more input files, a YAML file with values for the profile to use
  • --insecure, --no-insecure Disable SSL verification on select targets
  • -i, --key-files=one two three Login key or certificate file for a remote scan.
  • --password=PASSWORD Login password for a remote scan, if required.
  • --path=PATH Login path to use when connecting to the target (WinRM).
  • -p, --port=N Specify the login port for a remote scan.
  • --profiles-path=PROFILES_PATH Folder which contains referenced profiles.
  • --proxy-command=PROXY_COMMAND Specifies the command to use to connect to the server
  • --reporter=one two:/output/file/path Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml
  • --reporter-backtrace-inclusion, --no-reporter-backtrace-inclusion Include a code backtrace in report data (default: true)
  • --reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION Number of characters to truncate failure messages in report data to (default: no truncation)
  • --self-signed, --no-self-signed Allow remote scans with self-signed certificates (WinRM).
  • --shell, --no-shell Run scans in a subshell. Only activates on Unix.
  • --shell-command=SHELL_COMMAND Specify a particular shell to use.
  • --shell-options=SHELL_OPTIONS Additional shell options.
  • --show-progress, --no-show-progress Show progress while executing tests.
  • --silence-deprecations=all|GROUP GROUP... Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use ‘all’.
  • --ssl, --no-ssl Use SSL for transport layer encryption (WinRM).
  • --sudo, --no-sudo Run scans with sudo. Only activates on Unix and non-root user.
  • --sudo-command=SUDO_COMMAND Alternate command for sudo.
  • --sudo-options=SUDO_OPTIONS Additional sudo options for a remote scan.
  • --sudo-password=SUDO_PASSWORD Specify a sudo password, if it is required.
  • -t, --target=TARGET Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  • --target-id=TARGET_ID Provide a ID which will be included on reports
  • --user=USER The login user for a remote scan.
  • --vendor-cache=VENDOR_CACHE Use the given path for caching dependencies. (default: ~/.inspec/cache)
  • --waiver-file=one two three Load one or more waiver files.
  • --winrm-basic-auth-only, --no-winrm-basic-auth-only Whether to use basic authentication, defaults to false (WinRM).
  • --winrm-disable-sspi, --no-winrm-disable-sspi Whether to use disable sspi authentication, defaults to false (WinRM).
  • --winrm-transport=WINRM_TRANSPORT Specify which transport to use, defaults to negotiate (WinRM).

help

Describe available commands or one specific command

Syntax

This subcommand has the following syntax:

inspec help [COMMAND]

json

Read all tests in path and generate a json summary

Syntax

This subcommand has the following syntax:

inspec json PATH

Options

This subcommand has additional options:

  • --controls=one two three A list of controls to include. Ignore all other tests.
  • -o, --output=OUTPUT Save the created profile to a path
  • --profiles-path=PROFILES_PATH Folder which contains referenced profiles.
  • --vendor-cache=VENDOR_CACHE Use the given path for caching dependencies. (default: ~/.inspec/cache)

nothing

Does nothing

Syntax

This subcommand has the following syntax:

inspec nothing

schema

Print the json schema

Syntax

This subcommand has the following syntax:

inspec schema NAME

shell

Open an interactive debugging shell

Syntax

This subcommand has the following syntax:

inspec shell

Options

This subcommand has additional options:

  • -b, --backend=BACKEND Choose a backend: local, ssh, winrm, docker.
  • --bastion-host=BASTION_HOST Specifies the bastion host if applicable
  • --bastion-port=BASTION_PORT Specifies the bastion port if applicable
  • --bastion-user=BASTION_USER Specifies the bastion user if applicable
  • -c, --command=COMMAND A single command string to run instead of launching the shell
  • --config=CONFIG Read configuration from JSON file (- reads from stdin).
  • --depends=one two three A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
  • --distinct-exit, --no-distinct-exit Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
  • --enable-password=ENABLE_PASSWORD Password for enable mode on Cisco IOS devices.
  • --host=HOST Specify a remote host which is tested.
  • --insecure, --no-insecure Disable SSL verification on select targets
  • --inspect, --no-inspect Use verbose/debugging output for resources.
  • -i, --key-files=one two three Login key or certificate file for a remote scan.
  • --password=PASSWORD Login password for a remote scan, if required.
  • --path=PATH Login path to use when connecting to the target (WinRM).
  • -p, --port=N Specify the login port for a remote scan.
  • --proxy-command=PROXY_COMMAND Specifies the command to use to connect to the server
  • --reporter=one two:/output/file/path Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
  • --self-signed, --no-self-signed Allow remote scans with self-signed certificates (WinRM).
  • --shell, --no-shell Run scans in a subshell. Only activates on Unix.
  • --shell-command=SHELL_COMMAND Specify a particular shell to use.
  • --shell-options=SHELL_OPTIONS Additional shell options.
  • --ssl, --no-ssl Use SSL for transport layer encryption (WinRM).
  • --sudo, --no-sudo Run scans with sudo. Only activates on Unix and non-root user.
  • --sudo-command=SUDO_COMMAND Alternate command for sudo.
  • --sudo-options=SUDO_OPTIONS Additional sudo options for a remote scan.
  • --sudo-password=SUDO_PASSWORD Specify a sudo password, if it is required.
  • -t, --target=TARGET Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  • --target-id=TARGET_ID Provide a ID which will be included on reports
  • --user=USER The login user for a remote scan.
  • --winrm-basic-auth-only, --no-winrm-basic-auth-only Whether to use basic authentication, defaults to false (WinRM).
  • --winrm-disable-sspi, --no-winrm-disable-sspi Whether to use disable sspi authentication, defaults to false (WinRM).
  • --winrm-transport=WINRM_TRANSPORT Specify which transport to use, defaults to negotiate (WinRM).

supermarket

Supermarket commands

Syntax

This subcommand has the following syntax:

inspec supermarket SUBCOMMAND ...

vendor

Download all dependencies and generate a lockfile in a vendor directory

Syntax

This subcommand has the following syntax:

inspec vendor PATH

Options

This subcommand has additional options:

  • --overwrite, --no-overwrite Overwrite existing vendored dependencies and lockfile.

version

Prints the version of this tool

Syntax

This subcommand has the following syntax:

inspec version

Options

This subcommand has additional options:

  • --format=FORMAT