A Test Kitchen verifier for Cinc Auditor.
Cinc Auditor gems are published from the CINC RubyGems server, so include that source in your bundle:
source "https://rubygems.org"
source "https://rubygems.cinc.sh" do
gem "cinc-auditor-bin"
end
gem "kitchen-cinc-auditor"verifier:
name: cinc_auditorThe verifier follows the kitchen-inspec interface where Cinc Auditor exposes the same runtime API.
This gem targets Ruby 3.4 or newer, matching the Ruby line used by Chef Workstation 26.
The runtime dependency is cinc-auditor-bin from the CINC RubyGems server. Cinc Auditor still exposes a compatible Inspec Ruby namespace internally; this verifier loads the Cinc distribution shim and keeps that namespace use isolated behind its runtime adapter.
By default, suite tests are loaded from test/integration/<suite>.
test
integration
default
controls
example.rb
inspec.yml
For cookbook-style layouts, test/recipes is preferred when it exists. When a suite includes tests for other frameworks, place the Cinc Auditor profile under test/integration/<suite>/inspec, matching the upstream kitchen-inspec layout that Cinc Auditor supports.
test
integration
default
inspec
controls
example.rb
serverspec
example_spec.rb
SSH, WinRM, Exec, Dokken, and Docker CLI transports are supported. Host and port normally come from Test Kitchen state, but can be overridden:
verifier:
name: cinc_auditor
host: 192.168.56.40
port: 22SSH sudo, proxy, and forwarding settings are passed through to the Cinc Auditor runner:
verifier:
name: cinc_auditor
sudo: true
sudo_command: sudo -E
sudo_options: -H
proxy_command: ssh gateway -W %h:%p
forward_agent: trueLocal, URL, Git, Supermarket, and Compliance profile references are accepted through inspec_tests, matching the profile target shapes accepted by inspec exec.
suites:
- name: default
verifier:
inspec_tests:
- path: test/integration/default
- url: https://example.test/profile.zip
- git: https://github.com/dev-sec/tests-ssh-hardening.git
- name: hardening/ssh-hardening
- compliance: base/ssh
controls:
- sshd-46If both local suite tests and configured profiles exist, local suite tests are added first and configured inspec_tests are added afterward. Duplicate local paths are deduplicated.
Inline inputs and input files are passed to Cinc Auditor using the current runtime option names. Legacy attributes and attrs aliases are no longer supported; use inputs and input_files.
verifier:
name: cinc_auditor
inputs:
user: bob
debug: false
input_files:
- test/integration/profile-inputs.yml
waiver_files:
- test/integration/waivers.ymlReporter and output paths support %{platform} and %{suite} replacements.
verifier:
name: cinc_auditor
reporter:
- cli
- junit:path/to/results/%{platform}_%{suite}_cinc_auditor.xml
output: /tmp/%{platform}_%{suite}.json
format: json
profiles_path: /tmp/cinc-auditor-profilesPlugins are loaded by default before Cinc Auditor config validation. Plugin config is merged when the installed Cinc Auditor runtime supports it.
verifier:
name: cinc_auditor
load_plugins: true
plugin_config:
example_plugin:
example_setting: valueInput caching follows the compatible Cinc Auditor input registry behavior:
verifier:
name: cinc_auditor
cache_inputs: falseBackend command/file caching is enabled by default and can be disabled:
verifier:
name: cinc_auditor
backend_cache: falseChef license key settings are intentionally not forwarded. Cinc Auditor does not need them.
Run the full local check suite through mise:
mise run testThat task runs the RSpec suite, RuboCop, a syntax check for the verifier entrypoint, and RubyCritic. CI and release workflows run those checks as separate jobs so RSpec, RuboCop, and syntax can run in parallel; RubyCritic runs after RSpec and consumes the SimpleCov result artifact. The local and CI harnesses target Ruby 3.4 to match Chef Workstation 26.
The spec task writes SimpleCov output to coverage/, including coverage/.resultset.json. The RubyCritic task consumes that coverage data and enforces a minimum score of 70:
mise run rubycriticReleases are managed by release-please. Conventional commits merged to main update a release PR; merging that PR updates CHANGELOG.md, bumps lib/kitchen/verifier/cinc_auditor_version.rb, creates a GitHub release, and publishes the tagged gem.
Publishing uses actionshub/publish-ruby-gem with Ruby 3.4. Configure a rubygems environment with a RUBYGEMS_AUTH_TOKEN secret that has RubyGems.org push access for kitchen-cinc-auditor. Add RELEASE_PLEASE_TOKEN if release-please PRs should trigger ordinary CI checks; otherwise the workflow falls back to GITHUB_TOKEN.
This verifier is Apache-2.0 licensed. kitchen-inspec is also Apache-2.0 licensed and was used as a behavioral compatibility reference for Test Kitchen verifier options and profile discovery.