The compliance-scanning landscape
OpenSCAP, OSQuery, Terratest.
InSpec is a leading compliance-as-code tool, but it sits among related approaches worth placing. OpenSCAP is the OVAL/SCAP-based scanner common in government and RHEL environments, running official STIG/CIS content — more standards-native, less friendly to author. Osquery exposes the OS as SQL tables you query for state and detection — great for fleet visibility and hunting, adjacent to compliance. And the IaC scanners (Checkov) and Terratest cover the pre-deploy and behavioral angles InSpec does not.
Choosing and combining
Reach for InSpec when you want compliance controls that are readable, cross-platform (host, container, cloud), and easy to author and tailor — especially with CIS/STIG baselines plus your overlay. Prefer OpenSCAP where an environment mandates SCAP content or you need government-certified scanners. Use osquery for live fleet visibility and detection. And remember these answer “is the running system compliant?” — pair them with Checkov (pre-deploy config) and Terratest (behavior) for full-lifecycle assurance. No single tool covers config, compliance, behavior, and detection.