We’re so thrilled to release InSpec 2.0 to our amazing community. This is our first major version update in over a year so we’d like to inform you of the great improvements and impactful changes this new version brings.
New in 2.0: AWS and Azure Cloud Resources
InSpec now supports testing configurations for cloud provider platforms such as AWS or Azure. There are 30 new resources, such as aws_s3_bucket and azure_virtual_machine, to get you started writing compliance rules!
New in 2.0: Unique Exit Codes
InSpec will now exit with a unique exit code depending on the status of the controls and tests that were executed. The new exit codes are:
- 0: Successful run and no test failures found.
- 100: Successful run, test failures were found.
- 101: Successful run, no test failures, but test skips were found.
- anything else: An error occurred while running InSpec, such as a syntax issue, or a failure to find the specified profile.
This will make it easier to insert InSpec into a CI/CD pipeline and, for example, let you choose whether test skips are worthy of halting your pipeline.
New in 2.0: http resource uses remote worker by default on remote targets
In 1.x, we introduced the ability to enable a “remote worker” when using the http resource when scanning a remote machine. However, this was opt-in behavior as many users were relying on the HTTP calls originating from the host on which InSpec was running.
This behavior is no longer opt-in and now matches the expected behavior of all other InSpec resources: when scanning a remote machine, the tests should originate from the machine being scanned.
Example:
# 1.X
describe http('http://www.example.com', enable_remote_worker: true) do
its('body') { should cmp 'awesome' }
end
# 2.0
describe http('http://www.example.com') do
its('body') { should cmp 'awesome' }
end
Breaking Change: Values in time fields are now in RFC3339 format
If you use the json reporter in your InSpec runs, the values in time fields are now formatted using the well-known RFC3339 format (example: 2018-01-23T16:11:18-05:00) instead of Ruby’s string representation of a Time object (example: 2018-01-23 16:11:18 -0500).
Breaking Change: Removal of the top-level “controls” field in json reports
If you use the json reporter in your InSpec runs, the top-level controls field has been removed. All the data is still available within the controls field found within each profile object in the report.
Breaking Change: ‘/’ characters not permitted in profile names
In order to standardize a naming convention for profiles stored in Chef Automate and avoid confusion when profiles are stored in other directory-based locations, the / character is no longer permitted in a profile’s name (as defined in the profile’s inspec.yml file).
Breaking Change: OS names are always lowercase
In InSpec 1.x, OS names were potentially returns in mixed case, such as Windows Server 2008 R2 and therefore, when used in profiles, would need to match that case. For example:
only_if { os.name == 'Windows Server 2008 R2' }
Beginning with InSpec v1.49.2, OS names have been standardized as all lowercase when underscores instead of spaces. For example, Windows Server 2008 R2 becomes windows_server_2008_r2. InSpec v1.49.2 and earlier performed any translation necessary in profiles to ensure the comparison would work and a warning was emitted to inform users of the change.
This translation and warning has been removed and any profile performing a comparison against the OS name will need to be updated to use the new lowercase format.
Breaking Change: Missing requirements for resources now triggers a failure instead of a skip
In order for many resources to execute tests properly, certain requirements must exist. For example, to test a configuration setting of an nginx configuration value, the nginx configuration file must exist. Currently, many resources will simply “skip” the test if the requirement is not met. In principal, this is suboptimal as InSpec was not able to successfully execute the test as written. Therefore, resources have been updated to fail instead of skip when a requirement is not met.
Users wishing to retain the existing behavior can use an only_if condition to skip the control based on a particular requirement. For example:
conf_file = '/var/opt/mysite/etc/nginx.conf'
control 'nginx-1' do
describe nginx_conf(conf_file) do
its('some_setting') { should cmp 1 }
end
only_if { file(conf_file).exist? }
end
Removed Deprecations
The following features were deprecated in InSpec 1.x and are now no longer available in InSpec 2.0:
- The
inspec compliance login_automatecommand has been removed. Useinspec compliance logininstead. - The
assignment_reoption for theSimpleConfigutility, used by theparse_configandparse_config_fileresources, is removed. Useassignment_regexinstead. - The
key_valsoption for theSimpleConfigutility, used by theparse_configandparse_config_fileresources, is removed. Usekey_valuesinstead. - The
--cacheflag forinspec exechas been removed. Use--vendor-cacheinstead. - The
auditd_rulesresource has been removed. Use theauditdorauditd_confresource instead. - The following properties on the
passwdresource have been removed:-
count(useentries.lengthinstead) -
usernames(useusersinstead) -
username(useusersinstead) -
uid(useuidsinstead)
-
Additionally, the following global matchers have been removed:
-
contain_legacy_plus(this was intended to be removed in InSpec 1.0 but was missed) -
contain_match(this was intended to be removed in InSpec 1.0 but was missed) -
contain_duplicates(this was intended to be removed in InSpec 1.0 but was missed) with_versionbelong_to_groupbelong_to_primary_groupcontain
Many of these matchers has a more appropriate resource-specific property that should be used instead. For example, in the package resource, instead of using with_version, a test can be written as: its('version') { should cmp '1.2.3' }
For more information about InSpec 2.0 please visit our website at https://www.inspec.io/
You can find v2.0.17 at downloads.chef.io, RubyGems, Habitat Builder, and Docker Hub.
Thanks,
Jared