Skip to main content

Overview

Chef InSpec tests infrastructure state by querying running systems or cloud APIs. It verifies OS configuration, installed packages, network settings, and cloud resource properties.

Capabilities

  • Tests against live infrastructure (servers, containers, cloud resources)
  • Rich resource library for AWS, Azure, GCP, and OS-level checks
  • Compliance profiles map to regulatory frameworks
  • Human-readable test output

Limitations

  • Requires a running system or cloud API access
  • Not applicable to source code analysis — check out Semgrep or CodeQL for source code checks
  • Tests state at a point in time, not code patterns

Generated Format

  • Language: Ruby
  • Structure: InSpec control files with control, describe, and it blocks
  • Execution: inspec exec profile/

Example Guardrail

control 's3-encryption' do
  impact 1.0
  title 'Ensure all S3 buckets have encryption enabled'

  aws_s3_buckets.bucket_names.each do |bucket|
    describe aws_s3_bucket(bucket) do
      it { should have_default_encryption_enabled }
    end
  end
end
Learn more at Chef InSpec documentation and resources reference.