Chef Inspec

Compliance as Code

Turn your compliance, security, and other policy requirements into automated tests.

Compliance by design

Platform Agnostic

Chef InSpec supports all major operating systems and is platform agnostic, allowing you the freedom to run compliance and security tests anywhere.

Test Locally or Remotely

Chef InSpec provides a local agent for host-based assessments, as well as full remote testing support via SSH and WinRM.

Free To Run Anywhere

Chef InSpec can easily express compliance as code, with the freedom to run anywhere.

Extensible Language

Easily extend the Chef InSpec language to cover new operating systems, devices, or applications.

Chef InSpec can be used for

Codify agreements

Combine profiles and customize them with overlays. Pick controls and define exceptions as code.

Add context to your tests

Utilize many fields like descriptions, tags, and impact.

Apply to all systems

Analyze everything using the same codified profiles and controls.

control 'sshd-21' do
  title 'Set SSH Protocol to 2'
  desc 'A detailed description'
  impact 1.0 # This is critical ref 'compliance guide, section 2.1'
  describe sshd_config do
  its('Protocol') { should cmp 2 }

Test the desired state

Verify the current desired state of your apps and infrastructure according to the code you write.

Human-readable code

Reduce friction by writing tests that are easy to understand by anyone.


Create custom resources with ease and share them easily with others.

describe file('/etc/myapp.conf') do
  it { should exist }
  its('mode') { should cmp 0644 }

describe apache_conf do
  its('Listen') { should cmp 8080 }

describe port(8080) do
  it { should be_listening }

Test AWS and Azure configuration

Verify all necessary settings of your favorite public cloud providers.

Test provisioners

Chef InSpec can be used in combination with Cloudformation, Azure resource manager templates and Terraform.

Verify security configuration

Ensure that your cloud deployments are not open to malicious attacks due to misconfiguration.

describe aws_s3_bucket(bucket_name: 'my_secret_files') do
  it { should exist }
  it { should_not be_public }

describe aws_iam_user(username: 'test_user') do
  it { should have_mfa_enabled }
  it { should_not have_console_password }

Get started in 3 simple steps

Write the test

Create simple Ruby-based tests to verify your expected state against the current state of your systems.

control 'example-1.0' do
  impact 0.9
  title 'Ensure login disabled'
  desc 'An optional description...'
  describe sshd_config do
    its('PermitRootLogin') {
      should_not cmp 'yes'

Run the test

Execute your test against your target system locally or remotely with one simple command.

$ inspec exec linux-baseline

See the results

See which tests failed, passed and skipped and the expected state against the current state of your target system, in one simple output.

Profile: Chef InSpec Profile (example_profile)
Version: 0.1.0
Target:  local://

  ✔  example-1.0: Ensure root login is disabled via SSH
  ✔  SSHD Configuration PermitRootLogin should not cmp == "yes"

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped

InSpec highlights from our Blog


Testing Windows DNS SIGRed Vulnerability with Chef InSpec

Read more

Cyber Security for Australian Government, National Critical Infrastructure providers and Enterprise using Chef Compliance

Read more

Automating MAS Technology Risk Management (TRM) Guidelines using Chef InSpec

Read more

Wondering how Chef InSpec might work for your team?