What is Compliance as Code?
Learn what compliance as code means, how policy engines enforce it in CI/CD and Kubernetes, and why it beats manual audits.
Expected Interview Answer
Compliance as code is the practice of expressing regulatory and internal security controls as machine-readable, version-controlled policy definitions that are automatically evaluated against infrastructure and pipelines, instead of enforced through manual audits and spreadsheets.
Teams write policies using tools such as Open Policy Agent (Rego), Chef InSpec, or HashiCorp Sentinel, and store them in the same Git repository as the infrastructure code they govern, so a policy change goes through pull-request review exactly like application code. These policies run at multiple gates: pre-commit or CI to catch violations before a Terraform plan is applied, admission control in Kubernetes to block a non-compliant Pod at deploy time, and continuous scanning against the live environment to catch drift. Because the checks are automated and repeatable, an auditor can be shown the exact commit history and passing pipeline runs as evidence, rather than a manually maintained checklist that goes stale. This turns compliance from a periodic, error-prone audit exercise into a continuous, testable guarantee baked into the delivery pipeline.
- Turns audits into continuous, automated evidence generation
- Catches violations before deployment instead of after an incident
- Version-controlled policies get the same review rigor as code
- Scales consistent enforcement across many teams and environments
AI Mentor Explanation
Compliance as code is like a ground curator running an automated pitch-inspection checklist before every match instead of relying on the umpire’s memory of the rules on the day. The bounce, grass length, and rolling schedule are all encoded as a written protocol that a match referee runs through and signs off before play starts. If the pitch fails one item, the match cannot begin until it is fixed, just as a failed policy check blocks a deployment. Over a season, the ground has a stored record of every inspection, giving the board hard evidence instead of a curator’s word.
Step-by-Step Explanation
Step 1
Encode the policy
Write the regulatory or internal control as a machine-readable rule in a policy language such as Rego or InSpec.
Step 2
Version and review
Store the policy in Git and require pull-request review, exactly like application code changes.
Step 3
Gate the pipeline
Evaluate the policy at CI, admission control, and deploy time, blocking any resource that violates it.
Step 4
Continuously monitor
Re-scan live infrastructure on a schedule to catch drift and produce automated audit evidence.
What Interviewer Expects
- Understanding that policies are written as testable, version-controlled code
- Knowledge of common tools such as Open Policy Agent, InSpec, or Sentinel
- Awareness of the multiple enforcement gates: CI, admission control, and drift scanning
- Ability to explain how this produces continuous audit evidence over manual checklists
Common Mistakes
- Confusing compliance as code with simply documenting policies in a wiki
- Only checking compliance at deploy time and ignoring configuration drift
- Not treating policy files with the same review rigor as application code
- Forgetting to explain what concrete evidence this produces for auditors
Best Answer (HR Friendly)
“Compliance as code means we write our security and regulatory rules as actual code that automatically checks our infrastructure, instead of relying on someone manually filling out a checklist. This lets us catch a violation before it ever reaches production, and it gives auditors a clear, automated trail of every check we ran.”
Code Example
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: block-privileged-containers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
exemptImages: []
# Any Pod requesting privileged: true is rejected at admission time,
# and the rejection is logged as automated compliance evidence.Follow-up Questions
- Which policy engines have you used to enforce compliance as code?
- How would you catch configuration drift that bypasses your CI pipeline?
- How do you handle a legitimate exception to a compliance policy?
- What evidence would you show an auditor from a compliance-as-code pipeline?
MCQ Practice
1. What best defines compliance as code?
Compliance as code encodes controls as machine-readable policy that is automatically and repeatedly evaluated, replacing manual audits.
2. Where can compliance-as-code policies typically be enforced?
Effective compliance as code is enforced at multiple gates: pre-deploy CI checks, admission control, and ongoing scans of live infrastructure.
3. What key advantage does compliance as code give auditors?
Because policies and their pass/fail results are stored and versioned, auditors get repeatable, timestamped evidence instead of manual attestations.
Flash Cards
What is compliance as code? — Regulatory and security controls expressed as version-controlled, machine-evaluated policy.
Name two compliance-as-code tools. — Open Policy Agent (Rego) and Chef InSpec (also HashiCorp Sentinel).
Where is compliance as code enforced? — CI pipelines, Kubernetes admission control, and continuous drift scans.
Main benefit for audits? — Continuous, automated, version-controlled evidence instead of manual checklists.