1. Docs
  2. pulumi policy analyze | CLI commands

pulumi policy analyze | CLI commands

    Analyze a stack’s current state against policy packs

    Synopsis

    Analyze a stack’s current state against one or more local policy packs.

    This command runs policy analysis against the stack’s existing resource state without executing the Pulumi program or making provider calls.

    If any remediation policy fires, the change is reported but the stack state is not modified. Exits with a non-zero status if any mandatory violations are found.

    pulumi policy analyze [flags]

    Options

          --diff                             Display policy diagnostics as a rich diff instead of grouped progress output
  -h, --help                             help for analyze
  -j, --json                             Serialize policy analysis events as JSON
      --policy-pack stringArray          Path to a policy pack to run during analysis
      --policy-pack-config stringArray   Path to a JSON config file for the corresponding --policy-pack
  -s, --stack string                     The name of the stack to analyze. Defaults to the current stack

    Options inherited from parent commands

          --color string                 Colorize output. Choices are: always, never, raw, auto (default "auto")
  -C, --cwd string                   Run pulumi as if it had been started in another directory
      --disable-integrity-checking   Disable integrity checking of checkpoint files
  -e, --emoji                        Enable emojis in the output
  -Q, --fully-qualify-stack-names    Show fully-qualified stack names
      --logflow                      Flow log settings to child processes (like plugins)
      --logtostderr                  Log to stderr instead of to files
      --memprofilerate int           Enable more precise (and expensive) memory allocation profiles by setting runtime.MemProfileRate
      --non-interactive              Disable interactive mode for all commands
      --otel-traces string           Export OpenTelemetry traces to the specified endpoint. Use file:// for local JSON files, grpc:// for remote collectors
      --profiling string             Emit CPU and memory profiles and an execution trace to '[filename].[pid].{cpu,mem,trace}', respectively
      --tracing file:                Emit tracing to the specified endpoint. Use the file: scheme to write tracing data to a local file
  -v, --verbose int                  Enable verbose logging (e.g., v=3); anything >3 is very verbose

    SEE ALSO

    Auto generated by spf13/cobra on 2-Apr-2026