[Day #73 Pyats Series] Automate compliance checks for golden configs using pyATS for Cisco [Python for Network Engineer]

Introduction on the Key Points

In modern enterprise networks, keeping device configurations in line with approved golden configs is critical for security, compliance, and operational consistency. Even a single unauthorized change—whether accidental or malicious—can create vulnerabilities, break services, or cause outages.

Traditionally, engineers performed manual configuration reviews by logging into devices and comparing running configs to stored baselines. This is time-consuming, error-prone, and simply not scalable for networks with dozens or hundreds of devices.

This is where pyATS (Python Automated Test System) steps in — allowing us to automate compliance checks against golden configurations across multiple devices in seconds. As part of our 101 Days of pyATS (Vendor-Agnostic) series, today we’ll focus on Cisco devices, but the methodology can easily be extended to Arista, Juniper, Palo Alto, FortiGate, and more.

If you are a Python for Network Engineer learner, this is a perfect skill to master — because in most organizations, compliance automation is a high-value deliverable for NOC, SOC, and network automation teams.

By the end of this post, you will:

• Understand how to structure and store golden configuration templates.
• Learn to create pyATS jobs that fetch current configs and compare them to golden configs.
• Be able to produce pass/fail reports for compliance audits.
• See real CLI outputs from a Cisco device validation.

Topology Overview

For today’s lab, we’ll work with the following simple topology:

• R1 and R2 are Cisco IOS routers.
• Both are connected via a Layer 2 switch for management connectivity.
• pyATS testbed will connect via SSH to both devices to pull running-config.

Topology & Communications

• pyATS Host: Runs Python 3.8+, pyATS, and Genie libraries.
• Access Method: SSH to each Cisco device.
• Data Flow:
  1. pyATS connects to each device.
  2. Captures show running-config.
  3. Compares with the golden config stored locally.
  4. Generates a compliance report.

Workflow Script

Below is the Python pyATS script to automate compliance checks for golden configs:

from genie.testbed import load
from genie.utils.diff import Diff
import os

# Load the testbed
testbed = load('testbed.yml')

# Path to golden configs
golden_path = './golden_configs/'

# Loop through devices in testbed
for device in testbed.devices.values():
    print(f"\nConnecting to {device.name}...")
    device.connect(log_stdout=False)

    # Fetch current running config
    print(f"Fetching running-config for {device.name}...")
    running_config = device.execute('show running-config')

    # Load golden config
    golden_file = os.path.join(golden_path, f"{device.name}.cfg")
    if not os.path.exists(golden_file):
        print(f"Golden config not found for {device.name}. Skipping...")
        continue
    
    with open(golden_file, 'r') as gf:
        golden_config = gf.read()

    # Compare configs
    diff = Diff(golden_config.splitlines(), running_config.splitlines())
    diff.findDiff()

    if diff.diffs:
        print(f"Non-compliant configuration detected on {device.name}!")
        print(diff)
    else:
        print(f"{device.name} is fully compliant with golden config.")

    # Disconnect
    device.disconnect()

Explanation by Line

1. from genie.testbed import load → Loads the testbed YAML file containing device credentials.
2. from genie.utils.diff import Diff → Genie’s built-in diff tool for comparing configs.
3. testbed = load('testbed.yml') → Reads device details for pyATS to use.
4. golden_path = './golden_configs/' → Directory containing approved configs.
5. Loop through each device → Connect → Fetch running-config → Compare with golden → Report differences.
6. diff.findDiff() → Executes the actual comparison.
7. If diff.diffs exists → Device is non-compliant; otherwise, it’s compliant.

testbed.yml Example

testbed:
  name: GoldenConfigCompliance
  credentials:
    default:
      username: admin
      password: cisco123

devices:
  R1:
    os: ios
    type: router
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.10

  R2:
    os: ios
    type: router
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.11

Post-validation CLI (Real expected output)

Example output when R1 is compliant:

Connecting to R1...
Fetching running-config for R1...
R1 is fully compliant with golden config.

Example output when R2 is non-compliant:

Connecting to R2...
Fetching running-config for R2...
Non-compliant configuration detected on R2!
--- Golden Config
+++ Running Config
@@
- ip route 0.0.0.0 0.0.0.0 192.168.1.1
+ ip route 0.0.0.0 0.0.0.0 192.168.2.1

FAQs

1. What does “golden configuration” mean in network automation?
A golden configuration is a pre-approved, standardized baseline config that aligns with an organization’s security, performance, and compliance policies. It’s the “known-good” state against which all network devices are compared. Any deviation indicates drift, misconfiguration, or potential security risk.

2. Why should I automate golden config compliance checks instead of doing them manually?
Manual audits are slow, error-prone, and usually reactive. Automation with tools like pyATS ensures:

• Continuous monitoring
• Immediate drift detection
• Faster remediation
• Consistency across vendors
  It also reduces the operational risk of configuration mismatches during audits or incident responses.

3. How does pyATS help in golden config compliance checks?
pyATS can:

• Log in to multi-vendor devices
• Parse running configurations into structured data
• Compare against a stored golden config in YAML/JSON/text
• Highlight differences in a human-readable format
• Generate reports for compliance teams
  This makes it ideal for both daily checks and pre/post-change validation.

4. Where should I store my golden configurations?
Best practice is to keep golden configs in version-controlled repositories (GitLab/GitHub/Bitbucket). This allows:

• Change history tracking
• Easy rollback to older versions
• Integration with CI/CD pipelines
  You can also encrypt sensitive sections like credentials using tools such as Ansible Vault or Git-crypt.

5. Can I run compliance checks for multiple vendors in one script?
Yes. pyATS supports multi-vendor parsing via the Genie parsers and can normalize config outputs. You can store multiple golden configs (per vendor or per platform) and compare them in a single automated workflow.

6. How do I handle exceptions where a device requires a config different from the golden baseline?
You can maintain per-device exception lists in your compliance YAML. The automation script can skip or modify checks for those devices, ensuring flexibility without breaking compliance reporting.

7. What happens if a device fails the compliance check?
Your automation workflow can:

• Send alerts (email, Slack, Teams, Webex)
• Open a ServiceNow/Jira ticket
• Automatically trigger remediation scripts to push the correct config
  The action depends on your organization’s risk policy.

8. Can compliance checks be integrated into CI/CD pipelines?
Absolutely. Many teams integrate pyATS compliance scripts into Jenkins or GitLab CI pipelines so that any config change request automatically triggers a compliance test before deployment.

YouTube Link

Watch the Complete Python for Network Engineer: Automate compliance checks for golden configs using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Join Our Training

If you’re serious about mastering Python for Network Engineer skills and building automation workflows like this, join Trainer Sagar Dhawan’s 3-month Instructor-Led Training Program.

You’ll go from writing basic scripts to enterprise-grade automation integrating Python, Ansible, APIs, pyATS, and multi-vendor networks. This training is 100% hands-on, with real devices, projects, and continuous mentorship.

Course Outline: Click Here to View

Start your journey today and take your Python for Network Engineer skills to the next level.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088