Test yourself
InSpec
Final exam · 14 questions · answers explained as you pick
Beginner
4 questions
01InSpec expresses…
Incorrect — that is IaC; InSpec verifies state.
Correct — the control is both the requirement and the test.
Incorrect — no.
Incorrect — no.
02How does InSpec differ from Checkov?
Correct — “is it actually configured right now?” vs “does the code declare it right?”
Incorrect — they answer different questions.
Incorrect — no — it verifies, it does not create or fix.
Incorrect — Checkov is static, pre-deploy.
03A key limitation of InSpec is that it…
Incorrect — it can, via cloud transports.
Incorrect — it targets remote/containers/cloud too.
Correct — InSpec is the test; Ansible/Chef/Puppet is the fix.
Incorrect — SSH/WinRM scanning is agentless.
04A skipped control means…
Incorrect — no — skip is not pass.
Correct — lots of skips = little actually checked, even with no failures.
Incorrect — skip is distinct from fail.
Incorrect — InSpec does not remediate.
4 questions · explanations appear as you answer
Intermediate
5 questions
01For config values, the lenient comparison matcher that avoids type/format false-negatives is…
Correct — e.g. its('mode') { should cmp '0644' } works whether mode is a string or int.
Incorrect — eq is strict and trips on type mismatches.
Incorrect — not a matcher.
Incorrect — include is for collections, not this problem.
02You should prefer format-aware resources (sshd_config, json, ini) over command('grep …') because…
Incorrect — speed is not the point.
Correct — reserve command for genuinely unsupported checks.
Incorrect — it is allowed, just fragile.
Incorrect — no.
03Inputs (attributes) in a profile let you…
Incorrect — that is skip_control/waivers.
Incorrect — no.
Correct — defaults in inspec.yml, overridden with --input at run time.
Incorrect — no.
04The overlay/inheritance pattern lets you…
Correct — consume upstream updates; your overlay stays small and reviewable.
Incorrect — the opposite — overlays avoid forking.
Incorrect — no.
Incorrect — no.
05InSpec can target…
Incorrect — it targets much more.
Correct — one control language across hosts, containers, and cloud.
Incorrect — no.
Incorrect — no.
5 questions · explanations appear as you answer
Advanced
5 questions
01A waiver in InSpec should always include…
Correct — a waiver without an expiry is a permanent silent exception.
Incorrect — that is a bare skip; waivers add accountability.
Incorrect — no.
Incorrect — no.
02An InSpec report is trustworthy evidence only if…
Incorrect — that destroys its integrity.
Correct — provenance is what makes it evidence, not an assertion.
Incorrect — failures/waivers are part of honest evidence.
Incorrect — format is irrelevant to trust.
03For InSpec in CI, the right gating approach is…
Incorrect — blocks pipelines on trivia; teams disable it.
Incorrect — makes the gate meaningless.
Correct — block what matters, keep accepted risks explicit.
Incorrect — theatre — nothing is enforced.
04Relative to InSpec, OpenSCAP is…
Correct — prefer it where SCAP/certified scanners are mandated.
Incorrect — no.
Incorrect — different approach and content model.
Incorrect — no.
05A green InSpec run means…
Incorrect — no — compliance is a floor, not proof of security.
Correct — baselines lag threats; controls can be waived.
Incorrect — waivers can still be present.
Incorrect — InSpec does not remediate.
5 questions · explanations appear as you answer