Open Source

Automate the validation of compliance & security in any environment, on any platform.

Download InSpec Data Sheet

Download Inspec 3.0

Security and compliance don’t need to slow you down

InSpec is Chef’s open-source language for describing security & compliance rules that can be shared between software engineers, operations, and security engineers. Your compliance, security, and other policy requirements become automated tests that can be run against traditional servers, containers, and cloud APIs alike, ensuring consistent standards are enforced in every environment you manage, at every stage of development.

Preparing for Audits With Inspec

Standardize Security Auditing for Continuous Compliance

Compliance for every environment and every team

In traditional compliance and security auditing, compliance officers, security professionals, operators, and software engineers often have completely different tools used to define and validate systems. This results in tedious, manual compliance processes that are often only executed right before changes are promoted to production. By delaying these evaluations, details are easy to miss, and any issues identified run the risk of delaying a product release. The end result is often missed deadlines, long hours spent on frustrating re-work, budget overruns, and at worst, uncaptured vulnerabilities in production.

With InSpec, compliance can be evaluated consistently and continuously at every stage of product development, ensuring that issues are captured early, and solved problems don’t resurface. Because the InSpec language is easy to learn, and human-readable by design, it can be used across teams to ensure a unified understanding of your environments’ compliance. InSpec results are weighted for easy prioritization, and exportable into popular formats like JSON and JUnit.



Easily Assess Security and Compliance

Transform your requirements into versioned, executable, human-readable code. Organize your tests into composable profiles that allow you to define and customize exceptions as needed.

Detect Issues and Prioritize Remediation

InSpec’s agentless detect mode helps you quickly assess, at scale, your exposure level. And built-in metadata for impact/severity scoring helps determine what areas to focus on for remediation.

Inspect Machines, Data, and new SaaS APIs

InSpec’s cloud API compliance capabilities let you make both coarse and fine-grained assertions about your cloud compliance and report on it continuously.

Satisfy Audits Any Time and Make Them Painless

Answer audit questions at any time, not just quarterly or yearly. Enter an audit cycle knowing your exact compliance posture, instead of being surprised by auditor’s findings.

Reduce Ambiguity and Miscommunication Around Rules

Documents leave configurations and processes open to interpretation. Executable code removes conversations about what should be assessed in favor of tangible tests with clear intent.

Keep up with Rapidly Changing Threat and Compliance Landscapes

With InSpec you can write and publish detection code the same day and write new rules in quick response to new regulations. Change in threats or regulations no longer equals emergencies.

Augment your compliance with Chef Automate

Visual reports and trends for compliance across your estate


Chef Automate transforms your InSpec audits into web-accessible compliance reports, providing an aggregated overview of your environments’ compliance status and trend graphs for tracking historical data. When combined with Automate’s library of preloaded compliance profiles, in-GUI agentless scans of server and cloud endpoints, and a fully auditable scan history for each system you manage, Automate ensures you maintain visibility into the compliance of your entire estate.

Explore Automate

Explore our Compliance Solution