Question: (How) Is it possible to "overwrite" inspec controls? (specificly in the DevSec Inspec Baselines)?
I don't want to rewrite a whole inspec definition, just specific controls in a contro-file.
Background:
I regularly pull the current baselines from the DevSec repository to stay up to date with the current specifications.
But I want to adjust some of those "controls" to my needs or want to disable them.
Is it possible to change a specification by changing some environment variable or by placing a file with a higher priority somewhere in the inspec directorystructure? Or do I have to overwrite/edit the whole "controlfile.rb" specification - this would invovle manual intervention everytime the control-file changes and be counterproductive to the automation process.
(I see the consideration, that for security-relevant changes it would be wise to inspect every new update of the controls)
update One solution is answer below, to just execute specific controls. I still don't know how to EXCLUDE specific control (negating regex seem to not work)
To just use specifig controls:
In found it in the command-help it says:
(I now also found it in the docs: https://docs.chef.io/inspec/cli/#options-3)
The following will execute just the controls starting with "ssh" in the specified profile:
to overwrite controls To overwrite specific controls they can be overwritten in the "controls"-directory of a profile, that can be "applied ontop of the baseline" which is included there, see https://blog.chef.io/understanding-inspec-profile-inheritance, like: