Assess Ansible Playbook Security with cnspec

Use cnspec to scan Ansible playbooks for security misconfigurations and policy violations before they run against your infrastructure.

cnspec parses playbook YAML files and exposes plays, tasks, and handlers as queryable resources. This lets you check for insecure module options, missing privilege escalation controls, and other configuration issues without executing the playbook.

Scan an Ansible playbook

Scan a playbook file:

cnspec scan ansible playbook.yml

Scan a directory containing playbook files:

cnspec scan ansible /path/to/playbooks/

Scan options

Example checks

Run cnspec shell ansible playbook.yml to open the interactive shell. From there you can make checks like the examples below.

List all plays and their target hosts

ansible.plays { name hosts }

List all tasks across all plays

ansible.plays { tasks { name action } }

Ensure yum tasks validate certificates

A common misconfiguration is disabling certificate validation when installing packages. Check that no ansible.builtin.yum tasks have validate_certs set to false:

ansible.plays.all(
  tasks.where(action["ansible.builtin.yum"] != empty).all(
    action["ansible.builtin.yum"]["validate_certs"] != false
  )
)

Ensure no plays run as root

ansible.plays.all(remoteUser != "root")

Check that privilege escalation uses a specific method

ansible.plays.where(become == true).all(
  becomeMethod == "sudo"
)

Learn more

• For the full MQL resource reference, see the MQL Ansible provider documentation.

• To learn more about how the MQL query language works, read Write Effective MQL.