Install & first scan
inspec exec against a target.
InSpec installs as a Ruby-based CLI (or via the Chef Workstation bundle, or a container). The core command is inspec exec, which runs a profile or a single control file against a target. The simplest run points at a control file and the local machine; from there you add a target (a remote host over SSH, a container, a cloud account). The output tells you, per control, what passed, failed, or was skipped.
$ inspec version5.22.x$ inspec exec ssh-hardening.rb # run a control file against localhostProfile: tests from ssh-hardening.rb✔ sshd should not permit root login✘ sshd should disable password authenticationexpected "yes" to eq "no"Test Summary: 1 successful, 1 failure, 0 skipped
Try it interactively
The fastest way to learn is inspec shell, an interactive REPL where you can explore resources against a live target — type file(‘/etc/ssh/sshd_config’).content or port(22).listening? and see the real answer immediately. This is invaluable when writing a control: you probe the system to discover what to assert before you write the assertion. It is the InSpec equivalent of the OPA REPL or a language console.
$ inspec shellinspec> package('openssh-server').installed?=> trueinspec> sshd_config.params['PermitRootLogin']=> "no"inspec> port(22).listening?=> true