Verifying that Interfaces comply with corporate policy can be a challenge since typically the settings vary depending on whether it is a trunk or access port, etc. And also since you want to check every Interface, ignoring the correct ones, and alert on the incorrect ones.

Below is a basic script that verifies Inteface settings, in this case that all Access Ports have BPDU Guard enabled (this is not a recommendation, just an example).

More intelligence might need to be added to meet the requirements of your network, but we kept it simple for clarity.

It can easily be modified to check Trunk ports by changing "access" to "trunk" in the "check access port" section; and it can check for other settings by replacing "spanning-tree bpduguard enabled" with another setting, or even a block of settings.

This script fires a custom issue, which must be created first, in this case:

  Issue ID:  AccessPortWithoutBpduguard

  Detail Columns:

     Host,string
     Name,string
     Interface,string

############## Start of Script ################
#  Access Port without bpduguard
#
# Check Access ports for bdpuguard, fire a custom issue for any that are incorrect.
#
# Access ports should have:
#   spanning-tree bpduguard enabled
##############################

Script-Filter:
    $Vendor eq "Cisco"

##############################
Action:
                show run
Action-Description:
                show the running config
Action-Commands:
                show run
Output-Triggers:
                get interfaces

##############################
Trigger:
                get interfaces
Trigger-Description:
                get each interface
Trigger-Variables:
                $thisInterface string
Trigger-Template:
                interface [[$thisInterface]]
Trigger-Commands:
                SET: $accessPortMatch = "no"
                show run int $thisInterface
Output-Triggers:
                get interface details

####################################
Trigger:
                get interface details
Trigger-Description:
                Check for access or trunk
Trigger-Variables:
                $ifaceType string
Trigger-Template:
                switchport mode [[$ifaceType]]
Trigger-Commands:
                show run interface $thisInterface
Output-Triggers:
                check access port
                fire access issue

############################################
Trigger:
                check access port
Trigger-Description:
                if this is an access port, make sure that bpduguard is configured
Trigger-Filter:
                $ifaceType eq "access"
Trigger-Template:
                 spanning-tree bpduguard enabled
Trigger-Commands:
                SET: $accessPortMatch = "yes"

#################################################
Issue:
                fire access issue

Issue-ID:
    AccessPortWithoutBpduguard
Issue-Severity:
    Warning
Issue-Description:
                Fire this issue if the template did not match
Issue-Filter:
                $ifaceType eq "access" && $accessPortMatch eq "no"

Issue-Details:
    Host        $IPAddress
    Name        $Name
    Interface    $thisInterface

############### End of Script ################

Nice :)