What InSpec is: compliance as code

Executable, human-readable controls.

Intermediate12 min · lesson 1 of 12

InSpec is a framework for expressing security and compliance as executable code. Instead of a compliance requirement living in a PDF — “SSH must not permit root login,” “the firewall must deny inbound by default” — you write it as a control that runs against a real system and passes or fails. The control is readable enough that an auditor can understand it and precise enough that a machine can verify it, which closes the gap between a written policy and the actual state of your systems.

This is compliance as code, and it is different from the IaC scanning you have seen. Checkov reads infrastructure code before deploy; InSpec inspects running systems (or cloud APIs) to confirm they are actually in the required state. It answers “is this server, right now, configured the way the standard demands?” — continuously, repeatably, and with evidence. It grew out of the Chef ecosystem but is standalone and works against anything, whether or not Chef manages it.

From requirement to verified evidence
1requirement
a policy / CIS control
2control
executable InSpec code
3run
against a real system
4evidence
pass/fail report
The written control and the test are the same artifact — readable by auditors, executable by machines.

Why it matters

Compliance as code turns audits from a periodic manual scramble into a continuous, automated check with a paper trail. You run the same profile in CI (gate a machine image), on a schedule (detect drift on running fleets), and during an audit (produce evidence). The controls are version-controlled and reviewed like any code. For regulated environments this is transformative — the standard becomes a test suite, and “are we compliant?” becomes a command you can run.

InSpec verifies state; it does not fix it
InSpec is a detection and evidence tool, not a remediation one — it tells you a control failed, not how to fix it (that is config management: Ansible, Chef, Puppet). Pair the two: InSpec defines and verifies the desired compliance state, and a config-management tool enforces it. Treating InSpec as if it hardens systems is a category error; it is the test, not the fix.