What InSpec is: compliance as code
Executable, human-readable controls.
InSpec is a framework for expressing security and compliance as executable code. Instead of a compliance requirement living in a PDF — “SSH must not permit root login,” “the firewall must deny inbound by default” — you write it as a control that runs against a real system and passes or fails. The control is readable enough that an auditor can understand it and precise enough that a machine can verify it, which closes the gap between a written policy and the actual state of your systems.
This is compliance as code, and it is different from the IaC scanning you have seen. Checkov reads infrastructure code before deploy; InSpec inspects running systems (or cloud APIs) to confirm they are actually in the required state. It answers “is this server, right now, configured the way the standard demands?” — continuously, repeatably, and with evidence. It grew out of the Chef ecosystem but is standalone and works against anything, whether or not Chef manages it.
Why it matters
Compliance as code turns audits from a periodic manual scramble into a continuous, automated check with a paper trail. You run the same profile in CI (gate a machine image), on a schedule (detect drift on running fleets), and during an audit (produce evidence). The controls are version-controlled and reviewed like any code. For regulated environments this is transformative — the standard becomes a test suite, and “are we compliant?” becomes a command you can run.