An Introduction to Chef InSpec Waivers

What Are Waivers?

Chef InSpec provides a comprehensive solution for companies to reach continuous compliance. Companies wishing to maintain compliance within DISA or CIS standards use Chef InSpec to audit their endpoints, Chef Automate to view the collective compliance posture of their fleet, and Chef Infra to remediate the problems that are found by InSpec.

The idea of skipping controls isn’t new to InSpec users. The drawback of skipping controls, however, is that there is no documentation trail. This leaves users with no way of knowing the purpose of the skip or how long ago it was implemented. Exceptions to a company's compliance posture have major ramifications during audits, so in order to maintain operational continuity, these exceptions should be accounted for. Waivers within InSpec fix this issue. 

 Waivers enable the user to provide justification for skipping controls to which they knowingly are not within compliance. An end date can optionally be configured as a part of the waiver. This allows the user to track when a control is expected to be remediated. In the event that a control is not relevant, the end date can be left blank making the waiver permanent.  

How To Set Waivers?

Waiver files are input files and are included in your `inspec exec` run with the new `–waiver-file` argument. 

  • expiration_date - This is optional. When it is left blank the waiver is permanent.
  • run - When false, the control will not be run. When true, the control will run and be reported, but failures in it won’t make the overall run fail. 
  • justification- can be any text you want and should include a reason as well as who signed off on the waiver. 

Learn more

For more information about how to get started with waivers, check out the docs and the livestream episode our team recently did on the topic. Also, join our Community Slack to get answers to any questions that you may have. 

Posted in:

Kiah Tolliver

Kiah Tolliver was the Developer Advocate at Chef.