The compliance-scanning landscape

OpenSCAP, OSQuery, Terratest.

Advanced10 min · lesson 12 of 12

InSpec is a leading compliance-as-code tool, but it sits among related approaches worth placing. OpenSCAP is the OVAL/SCAP-based scanner common in government and RHEL environments, running official STIG/CIS content — more standards-native, less friendly to author. Osquery exposes the OS as SQL tables you query for state and detection — great for fleet visibility and hunting, adjacent to compliance. And the IaC scanners (Checkov) and Terratest cover the pre-deploy and behavioral angles InSpec does not.

Where InSpec sits
compliance of running systems
InSpec
readable controls, many targets
OpenSCAP
SCAP/OVAL, official content
Osquery
OS-as-SQL, visibility/detection
other angles
Checkov / Trivy
pre-deploy IaC misconfig
Terratest
does it actually work?
InSpec: human-readable compliance across hosts/containers/cloud. Complements pre-deploy scanning and behavioral testing.

Choosing and combining

Reach for InSpec when you want compliance controls that are readable, cross-platform (host, container, cloud), and easy to author and tailor — especially with CIS/STIG baselines plus your overlay. Prefer OpenSCAP where an environment mandates SCAP content or you need government-certified scanners. Use osquery for live fleet visibility and detection. And remember these answer “is the running system compliant?” — pair them with Checkov (pre-deploy config) and Terratest (behavior) for full-lifecycle assurance. No single tool covers config, compliance, behavior, and detection.

Compliance-passing is not the same as secure
A green InSpec run means the system meets the controls you ran — not that it is secure against everything. Baselines can lag new threats, controls can be waived, and a standard is a floor, not a ceiling. Treat compliance as code as one essential layer (with evidence and continuity that manual audits lack), alongside pre-deploy scanning, runtime detection, and real security review — not as a substitute for a genuine threat model.