InSpec a tool to create compliance as code

Inspec  (link) is an open source testing framework for infrastructure with a human readable language for specifying compliance, security and other policy requirements.

In short, it is a self-documenting testing & audit framework where infrastructure and security compliance requirements can be expressed as code.  (Compliance as code)

InSpec sample code snippet

What Problem is it trying to solve?

Inspec solves multiple problems:

  • As companies adopt continuous delivery & deployment methods; infrastructure and other environment dependencies are abstracted into infrastructure-as-code artifacts. These code artifacts are then checked into source control and used to produce immutable infrastructure.   Inspec can be used to test/audit the systems that the infrastructure-as-code produced to determine if it meets the intended requirements.   Inspec profile artifacts define the tests and policies that are used to validate the infrastructure which in turn can be version controlled and checked into source control.  The Inspec  profiles can then be called from CI/CD pipeline tools such as Jenkins to automate the running of the Inspec tests.

 

  • Another use case for Inspec is compliance testing.  Inspec can be used to codify security or compliance requirements into a series of controls/tests.  In this use case the Inspec profile becomes a compliance-as-code artifact that can be version controlled and checked into source control.  These compliance-as-code artifacts can also be used as a test pattern for use in CI/CD tools such as Jenkins thus adding compliance testing to a CI/CD pipeline.

 

What does it do?/ How does it do it?

Inspec developers create test profiles that are understandable, declarative, unambiguous and group them into a descriptive artifact that can contain additional meta data such as security control numbers.  These profiles are code-artifacts that can be version controlled and used repeatedly to test systems to determine if they meet the standard.

Inspec can be run locally on systems with the Inspec executable as well as on remote target systems via SSH or Windows winrm methods.  Target systems include virtual machines or docker containers.  Inspec also is extensible via resource packs.  Some example resources packs include cloud services such as AWS, Azure and private cloud infrastructure such as VMware as well as Chef/test-Kitchen.

Tools Integrations

CI/CD Pipeline tools: Jenkins, VSTS

Cloud Platforms: AWS , Azure services and resources can be tested/audited via Inspec resource packs for AWS and Azure.

Value Proposition/Benefits

Inspec brings automated testing, security policies and compliance control auditing together into single human readable expressive language.  The Inspec profile artifacts are self-documenting in that they can read by non-developers who can view the tests and criteria used to test the environment.

Similar Products

Serverspec – Serverspec is a similar tool which allows you to create Rspec tests which primarily validate infrastructure resources.  (services, ports, packages etc.)  Inspec started as a Serverspec extension and developed into its own standalone project.  Inspec adds compliance testing capabilities.

Testinfra – Testinfra is ServerSpec equivalent in python and is written as a plug-in to the powerful Pytest test engine.