Install & first scan

inspec exec against a target.

Intermediate10 min · lesson 2 of 12

InSpec installs as a Ruby-based CLI (or via the Chef Workstation bundle, or a container). The core command is inspec exec, which runs a profile or a single control file against a target. The simplest run points at a control file and the local machine; from there you add a target (a remote host over SSH, a container, a cloud account). The output tells you, per control, what passed, failed, or was skipped.

terminal
$ inspec version
5.22.x
$ inspec exec ssh-hardening.rb # run a control file against localhost
Profile: tests from ssh-hardening.rb
✔ sshd should not permit root login
✘ sshd should disable password authentication
expected "yes" to eq "no"
Test Summary: 1 successful, 1 failure, 0 skipped

Try it interactively

The fastest way to learn is inspec shell, an interactive REPL where you can explore resources against a live target — type file(‘/etc/ssh/sshd_config’).content or port(22).listening? and see the real answer immediately. This is invaluable when writing a control: you probe the system to discover what to assert before you write the assertion. It is the InSpec equivalent of the OPA REPL or a language console.

terminal
$ inspec shell
inspec> package('openssh-server').installed?
=> true
inspec> sshd_config.params['PermitRootLogin']
=> "no"
inspec> port(22).listening?
=> true
Run against the right target — local vs remote differ
inspec exec with no target runs against the machine you are on, which is fine for testing but not what you usually want — you mean to check a remote server or a container. Always pass an explicit target (-t ssh://..., docker://..., an AWS profile) for real scans, and confirm the report’s target matches your intent; a profile that “passes” because it silently checked your laptop is a dangerous false positive.