Chef Inspec

Compliance as Code

Turn your compliance, security, and other policy requirements into automated tests.

View Docs Download InSpec

Compliance by design

Platform Agnostic
Chef InSpec supports all major operating systems and is platform agnostic, allowing you the freedom to run compliance and security tests anywhere.
Test Locally or Remotely
Chef InSpec provides a local agent for host-based assessments, as well as full remote testing support via SSH and WinRM.
Free To Run Anywhere
Chef InSpec can easily express compliance as code, with the freedom to run anywhere.
Extensible Language
Easily extend the Chef InSpec language to cover new operating systems, devices, or applications.

control 'sshd-21' do
  title 'Set SSH Protocol to 2'
  desc 'A detailed description'
  impact 1.0 # This is critical ref 'compliance guide, section 2.1'
  describe sshd_config do
  its('Protocol') { should cmp 2 }
Codify agreements

Combine profiles and customize them with overlays. Pick controls and define exceptions as code.

Add context to your tests

Utilize many fields like descriptions, tags, and impact.

Apply to all systems

Analyze everything using the same codified profiles and controls.

describe file('/etc/myapp.conf') do
  it { should exist }
  its('mode') { should cmp 0644 }

describe apache_conf do
  its('Listen') { should cmp 8080 }

describe port(8080) do
  it { should be_listening }
Test the desired state

Verify the current desired state of your apps and infrastructure according to the code you write.

Human-readable code

Reduce friction by writing tests that are easy to understand by anyone.


Create custom resources with ease and share them easily with others.

describe aws_s3_bucket(bucket_name: 'my_secret_files') do
  it { should exist }
  it { should_not be_public }

describe aws_iam_user(username: 'test_user') do
  it { should have_mfa_enabled }
  it { should_not have_console_password }
Test AWS and Azure configuration

Verify all necessary settings of your favorite public cloud providers.

Test provisioners

Chef InSpec can be used in combination with Cloudformation, Azure resource manager templates and Terraform.

Verify security configuration

Ensure that your cloud deployments are not open to malicious attacks due to misconfiguration.

Get started in 3 simple steps


Write the test

Create simple Ruby-based tests to verify your expected state against the current state of your systems.

control 'example-1.0' do
  impact 0.9
  title 'Ensure login disabled'
  desc 'An optional description...'
  describe sshd_config do
    its('PermitRootLogin') {
      should_not cmp 'yes'


Run the test

Execute your test against your target system locally or remotely with one simple command.

$ inspec exec linux-baseline


See the results

See which tests failed, passed and skipped and the expected state against the current state of your target system, in one simple output.

Profile: Chef InSpec Profile (example_profile)
Version: 0.1.0
Target:  local://

  ✔  example-1.0: Ensure root login is disabled via SSH
  ✔  SSHD Configuration PermitRootLogin should not cmp == "yes"

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped

From the Chef InSpec Blog

Testing Windows DNS SIGRed Vulnerability with Chef InSpec

Read more

Cyber Security for Australian Government, National Critical Infrastructure providers and Enterprise using Chef Compliance

Read more

Automating MAS Technology Risk Management (TRM) Guidelines using Chef InSpec

Read more

Wondering how Chef InSpec might work for your team?