Docs / Security / How to Set Up Automated Compliance Scanning with InSpec

How to Set Up Automated Compliance Scanning with InSpec

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 163 views · 2 min read

Chef InSpec is an open-source framework for testing and auditing your infrastructure against compliance requirements. It lets you write human-readable tests that verify security configurations, making compliance auditing automated and repeatable.

What InSpec Does

  • Tests system configurations against compliance profiles (CIS, STIG, PCI-DSS)
  • Produces audit reports showing pass/fail status for each control
  • Runs locally or remotely via SSH
  • Integrates with CI/CD for continuous compliance monitoring

Installation

# Install InSpec
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec

# Verify installation
inspec version

Running a CIS Benchmark Scan

# Use community CIS profiles from Chef Supermarket
# Ubuntu CIS benchmark
inspec supermarket exec dev-sec/linux-baseline

# Or scan a remote server
inspec exec dev-sec/linux-baseline -t ssh://deploy@your-server -i ~/.ssh/id_ed25519

# Use the official CIS benchmark profiles
inspec exec https://github.com/dev-sec/linux-baseline

Writing Custom InSpec Tests

# Create a new profile
inspec init profile my-server-audit

# Edit controls/server.rb:
control "ssh-1" do
  impact 1.0
  title "SSH should not permit root login"
  desc "Root login via SSH should be disabled"
  describe sshd_config do
    its("PermitRootLogin") { should eq "no" }
  end
end

control "ssh-2" do
  impact 1.0
  title "SSH should use key-based authentication"
  describe sshd_config do
    its("PasswordAuthentication") { should eq "no" }
  end
end

control "firewall-1" do
  impact 0.7
  title "UFW should be active"
  describe command("ufw status") do
    its("stdout") { should match /Status: active/ }
  end
end

control "updates-1" do
  impact 0.5
  title "Automatic security updates should be enabled"
  describe package("unattended-upgrades") do
    it { should be_installed }
  end
end

Running Your Custom Profile

# Run locally
inspec exec my-server-audit/

# Run against a remote server
inspec exec my-server-audit/ -t ssh://deploy@server-ip

# Output as JSON
inspec exec my-server-audit/ --reporter json:/tmp/results.json

# Output as HTML
inspec exec my-server-audit/ --reporter html:/tmp/report.html

Continuous Compliance

# Add to cron for weekly compliance checks
echo "0 3 * * 0 inspec exec /opt/audit/my-server-audit --reporter json:/var/log/compliance/$(date +\%Y\%m\%d).json" | sudo tee -a /var/spool/cron/crontabs/root

# CI/CD integration
# Run InSpec after deployment to verify compliance is maintained

Available Profiles

  • dev-sec/linux-baseline — General Linux hardening
  • dev-sec/ssh-baseline — SSH configuration
  • dev-sec/nginx-baseline — Nginx security
  • dev-sec/mysql-baseline — MySQL security
  • dev-sec/postgres-baseline — PostgreSQL security

Was this article helpful?

Related Articles