mirror of
https://github.com/inspec/inspec
synced 2024-12-12 14:22:38 +00:00
0f05d7133e
Signed-off-by: Ryan Davis <zenspider@chef.io>
1.5 KiB
1.5 KiB
Waivers (beta)
Waivers is a mechanism to mark controls as "waived" for various reasons, and to control the running and/or reporting of those controls. It uses a YAML input file that identifies:
- which controls are waived
- a description of why it is waived
- (optionally) whether they should be skipped from running
- (optionally) an expiration date for the waiver
NOTE: This mechanism is currently in beta and is intended to be ingested and maintained by Chef Automate UI.
Usage
To use waivers, you must have a correctly formatted input file and
invoke inspec exec
with --waiver-file [path]
.
% inspec exec --waiver-file waivers.yaml path/to/profile
File Format
Waiver files are input files with a specific format:
control_id:
expiration_date: YYYY-MM-DD
skip: true
justification: "reason for waiving this control"
expiration_date
is optional. Absence means the waiver is permanent.skip
is optional. Absence means the control will run and be reported, but failures in it won't make the overall run fail.justification
can be any text you want and might include a reason as well as who signed off on the waiver.
Examples:
waiver_control_1_2_3:
expiry_date: 2019-09-15
justification: Not needed until Q3. @secteam
xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled:
expiry_date: 2020-03-01
justification: "This might be a bug in the test. @qateam"
skip_run: true