Difference between revisions of "Inspec exec --help"
Jump to navigation
Jump to search
(Created page with "<pre> inspec exec --help Usage: inspec exec LOCATIONS Options: t, [--target=TARGET] # Simple targeting option using...") |
|||
Line 1: | Line 1: | ||
+ | [[inspec exec]] --help | ||
+ | |||
<pre> | <pre> | ||
− | |||
Usage: | Usage: | ||
inspec exec LOCATIONS | inspec exec LOCATIONS |
Latest revision as of 06:01, 27 July 2021
inspec exec --help
Usage: inspec exec LOCATIONS Options: t, [--target=TARGET] # Simple targeting option using URIs, e.g. ssh://user:pass@host:port b, [--backend=BACKEND] # Choose a backend: local, ssh, winrm, docker. [--host=HOST] # Specify a remote host which is tested. p, [--port=N] # Specify the login port for a remote scan. [--user=USER] # The login user for a remote scan. [--password=PASSWORD] # Login password for a remote scan, if required. [--enable-password=ENABLE_PASSWORD] # Password for enable mode on Cisco IOS devices. i, [--key-files=one two three] # Login key or certificate file for a remote scan. [--path=PATH] # Login path to use when connecting to the target (WinRM). [--sudo], [--no-sudo] # Run scans with sudo. Only activates on Unix and non-root user. [--sudo-password=SUDO_PASSWORD] # Specify a sudo password, if it is required. [--sudo-options=SUDO_OPTIONS] # Additional sudo options for a remote scan. [--sudo-command=SUDO_COMMAND] # Alternate command for sudo. [--shell], [--no-shell] # Run scans in a subshell. Only activates on Unix. [--shell-options=SHELL_OPTIONS] # Additional shell options. [--shell-command=SHELL_COMMAND] # Specify a particular shell to use. [--ssl], [--no-ssl] # Use SSL for transport layer encryption (WinRM). [--self-signed], [--no-self-signed] # Allow remote scans with self-signed certificates (WinRM). [--winrm-transport=WINRM_TRANSPORT] # Specify which transport to use, defaults to negotiate (WinRM). # Default: negotiate [--winrm-disable-sspi], [--no-winrm-disable-sspi] # Whether to use disable sspi authentication, defaults to false (WinRM). [--winrm-basic-auth-only], [--no-winrm-basic-auth-only] # Whether to use basic authentication, defaults to false (WinRM). [--config=CONFIG] # Read configuration from JSON file (`-` reads from stdin). [--proxy-command=PROXY_COMMAND] # Specifies the command to use to connect to the server [--bastion-host=BASTION_HOST] # Specifies the bastion host if applicable [--bastion-user=BASTION_USER] # Specifies the bastion user if applicable [--bastion-port=BASTION_PORT] # Specifies the bastion port if applicable [--insecure], [--no-insecure] # Disable SSL verification on select targets [--target-id=TARGET_ID] # Provide a ID which will be included on reports [--winrm-shell-type=WINRM_SHELL_TYPE] # Specify a shell type for winrm (eg. 'elevated' or 'powershell') # Default: powershell [--docker-url=DOCKER_URL] # Provides path to Docker API endpoint (Docker) [--profiles-path=PROFILES_PATH] # Folder which contains referenced profiles. [--vendor-cache=VENDOR_CACHE] # Use the given path for caching dependencies. (default: ~/.inspec/cache) [--controls=one two three] # A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests. [--reporter=one two:/output/file/path] # Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml [--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION] # Number of characters to truncate failure messages and code_desc in report data to (default: no truncation) [--reporter-backtrace-inclusion], [--no-reporter-backtrace-inclusion] # Include a code backtrace in report data (default: true) [--input=name1=value1 name2=value2] # Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. [--input-file=one two three] # Load one or more input files, a YAML file with values for the profile to use [--waiver-file=one two three] # Load one or more waiver files. [--attrs=one two three] # Legacy name for --input-file - deprecated. [--create-lockfile], [--no-create-lockfile] # Write out a lockfile based on this execution (unless one already exists) [--backend-cache], [--no-backend-cache] # Allow caching for backend command output. (default: true) [--show-progress], [--no-show-progress] # Show progress while executing tests. [--distinct-exit], [--no-distinct-exit] # Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures. # Default: true [--silence-deprecations=[all]|[GROUP GROUP...]] # Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'. [--diff], [--no-diff] # Use --no-diff to suppress 'diff' output of failed textual test results. # Default: true [--sort-results-by=--sort-results-by=none|control|file|random] # After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode. # Default: file [--filter-empty-profiles], [--no-filter-empty-profiles] # Filter empty profiles (profiles without controls) from the report. [--command-timeout=N] # Maximum seconds to allow commands to run during execution. [--reporter-include-source], [--no-reporter-include-source] # Include full source code of controls in the CLI report l, [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) [--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations) [--color], [--no-color] # Use colors in output. [--interactive], [--no-interactive] # Allow or disable user interaction [--disable-user-plugins] # Disable loading all plugins that the user installed. [--enable-telemetry], [--no-enable-telemetry] # Allow or disable telemetry [--chef-license=CHEF_LICENSE] # Accept the license for this product and any contained products: accept, accept-no-persist, accept-silent Description: Run all test files at the specified LOCATIONS. Loads the given profile(s) and fetches their dependencies if needed. Then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate output. ``` Exit codes: 0 Normal exit, all tests passed 1 Usage or general error 2 Error in plugin system 3 Fatal deprecation encountered 100 Normal exit, at least one test failed 101 Normal exit, at least one test skipped but none failed 172 Chef License not accepted ``` Below are some examples of using `exec` with different test LOCATIONS: Automate: ``` inspec automate login inspec exec compliance://username/linux-baseline ``` `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: ``` inspec compliance login ``` Supermarket: ``` inspec exec supermarket://username/linux-baseline ``` Local profile (executes all tests in `controls/`): ``` inspec exec /path/to/profile ``` Local single test (doesn't allow inputs or custom resources) ``` inspec exec /path/to/a_test.rb ``` Git via SSH ``` inspec exec [email protected]:dev-sec/linux-baseline.git ``` Git via HTTPS (.git suffix is required): ``` inspec exec https://github.com/dev-sec/linux-baseline.git ``` Private Git via HTTPS (.git suffix is required): ``` inspec exec https://[email protected]/dev-sec/linux-baseline.git ``` Private Git via HTTPS and cached credentials (.git suffix is required): ``` git config credential.helper cache git ls-remote https://github.com/dev-sec/linux-baseline.git inspec exec https://github.com/dev-sec/linux-baseline.git ``` Web hosted fileshare (also supports .zip): ``` inspec exec https://webserver/linux-baseline.tar.gz ``` Web hosted fileshare with basic authentication (supports .zip): ``` inspec exec https://username:password@webserver/linux-baseline.tar.gz ```
See also[edit]
Advertising: