diff --git a/README.md b/README.md index a6db9a4..9f9c1e5 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,22 @@ verifier: output: path/to/results/%{platform}_%{suite}_inspec.xml ``` +You can also decide to only run specific controls, instead of a full profile. This is done by specifying a list of controls: + +``` +suites: + - name: supermarket + run_list: + - recipe[apt] + - recipe[ssh-hardening] + verifier: + inspec_tests: + - name: dev-sec/ssh-baseline + controls: + - sshd-46 + ... +``` + ### Directory Structure By default `kitchen-inspec` expects test to be in `test/integration/%suite%` directory structure (we use Chef as provisioner here): diff --git a/lib/kitchen/verifier/inspec.rb b/lib/kitchen/verifier/inspec.rb index 87d5e6b..82cb5f4 100644 --- a/lib/kitchen/verifier/inspec.rb +++ b/lib/kitchen/verifier/inspec.rb @@ -186,6 +186,7 @@ def runner_options(transport, state = {}, platform = nil, suite = nil) # rubocop runner_options["format"] = config[:format] unless config[:format].nil? runner_options["output"] = config[:output] % { platform: platform, suite: suite } unless config[:output].nil? runner_options["profiles_path"] = config[:profiles_path] unless config[:profiles_path].nil? + runner_options[:controls] = config[:controls] end end diff --git a/spec/kitchen/verifier/inspec_spec.rb b/spec/kitchen/verifier/inspec_spec.rb index fe722c9..3b97b4c 100644 --- a/spec/kitchen/verifier/inspec_spec.rb +++ b/spec/kitchen/verifier/inspec_spec.rb @@ -203,6 +203,20 @@ verifier.call(port: 123) end + it "constructs an Inspec::Runner with a controls filter" do + config[:controls] = %w{a control} + + expect(Inspec::Runner).to receive(:new) + .with( + hash_including( + controls: %w{a control} + ) + ) + .and_return(runner) + + verifier.call(port: 123) + end + it "provide platform and test suite to build output path" do allow(Inspec::Runner).to receive(:new).and_return(runner)