Demo Mode — Fully interactive with sample data. All waivers, scan and auto-fix actions are simulated. α AUTO-FIX ALPHA

Last scan: 2026-03-23 14:30
Passed Controls
Failed Controls
Skipped Controls
Waived Controls
WAF++ Score
/100
Score by Pillar
Cloud Footprint
Regions
Failed Controls by Severity
Critical & High Failures
Pass Rate by Category
Run a scan to see category breakdown.
Regulatory Readiness
No regulatory mappings found in scan results.
Architectural Debt Heatmap
Low
High
Quick Wins
Medium & low severity failures — lower effort to remediate
No controls match your filters.
Open in IDE:
Control Pillar Severity Status Checks

Waivers allow you to intentionally accept risk for specific controls. Export as .wafpass-skip.yml.

No waivers configured. Add waivers from the Controls Library.
Total Accepted
Active
Expiring in 30d
Overdue / Expired

Formal risk acceptances require approver sign-off, an RFC or ticket reference, and a defined residual risk level.

No risk acceptances recorded. Click Add Risk Acceptance to begin.

Tip: Only controls with findings will impact your score.

Approval
Risk Classification
Timeline

Required fields: Control, Justification, Approver

Global Deployment Map
Detected Regions
No region data available. Run a scan to detect deployed regions.
Demo mode — results are simulated client-side. The live server evaluates code against all 73 WAF++ controls in real time.
sandbox.tf
HCL · Terraform

Load a template or paste Terraform,
then click Run Sandbox Scan.

Evaluating controls…

Remediation ROI estimates based on industry benchmarks
Est. Annual Risk
if left unaddressed
Savings if Fixed
estimated risk reduction
Fix Effort
engineering hours est.
Controls to Fix
failing controls
/100
Pass
Fail
Skip
Demo Mode: Scan will simulate a 1.8-second run and refresh the dashboard. No actual IaC files are required.

Scan Configuration

Maturity Level

Select the level that reflects your organisation's current cloud compliance posture. Selecting a level pre-configures recommended feature defaults — you can still adjust any setting individually below.

Level 1
Foundational
Getting started with cloud compliance
  • Critical & High severity only
  • Security & Cost pillars (P1–P2)
  • Fast feedback, minimal overhead
  • Intelligence features off
  • No regulatory framework req.
Startup / Early-stage
Level 2
Operational
Running compliance as standard practice
  • Medium+ severity, all active pillars
  • Waivers, risk register, PDF reports
  • Secret scanner + blast radius on
  • GDPR, BSI C5, ISO 27001 mapped
  • Auto-fix & ESG tracking off
GDPR BSI C5 ISO 27001
Level 3
Optimised
Continuous compliance at scale
  • All severities, all 7 pillars
  • Full intelligence suite enabled
  • Auto-fix engine + ESG/carbon tracking
  • Full audit trail, multi-pillar reports
  • All regulatory frameworks mapped
GDPR BSI C5 ISO 27001 SOC 2 NIS2 HIPAA

General Settings

Scan Defaults

These defaults pre-fill the Run Scan form and are passed as CLI flags when generating commands.

Intelligence Features

Enhanced analysis modules that run alongside the core control checks. Disabling them speeds up scans in resource-constrained environments.

Secret Scanner
Detect exposed API keys and credentials in IaC
Auto-fix Engine α
Generate concrete remediation patches for FAIL controls
Carbon & ESG Tracking
Estimate carbon footprint per control, included in PDF
Blast Radius Display
Show impact score per control to prioritise remediation
Reporting

Control how scan results are presented and exported.

Auto-open PDF after export
Automatically open the generated PDF report in a new tab

Settings are persisted in browser local storage and survive page reloads.

Public beta — WAFPass v1.0 is planned alongside Framework v1.0, shortly before 12 May 2026. All versions below v1.0 are beta. The API, controls, and scoring model may still change.

Installation

Requirements
Python 3.10+ Terraform .tf files or CDK project WAF++ Controls (YAML) No cloud credentials required
From GitHub Release

Download the .whl artifact from the latest release and install via pip.

# Download from GitHub Releases
pip install wafpass-0.3.0-py3-none-any.whl
From Source

Clone the repository and install in editable mode. Works with pip or uv.

# Standard pip
pip install -e .

# Or with uv (faster)
uv pip install -e .
Quick Start
# 1. Download WAF++ controls into a local controls/ directory
#    (from the WAF++ framework repo or author your own YAML controls)

# 2. Run a scan against your IaC directory (Terraform default)
wafpass check ./infra/

# 3. Specify IaC framework explicitly
wafpass check ./infra/ --iac terraform

# 4. Multi-cloud / multi-path scan
wafpass check ./aws ./azure ./gcp

# 5. Launch the web UI dashboard
wafpass ui start
# → http://localhost:8080

# 6. Export a PDF compliance report
wafpass check ./infra/ --output pdf
CI/CD Integration

Use --fail-on fail to break pipelines on control failures. Native GitHub Actions and GitLab CI examples are available in the documentation. Intentional exceptions go in .wafpass-skip.yml and appear as WAIVED in reports without breaking CI.

Release History

v0.3.0 Beta Current March 2026
New Features
  • Web UI dashboard for compliance visualization
  • Mobile-responsive dashboard theme
  • Deployed regions in compliance output
  • Sandbox environment support
  • Risk acceptance (waivers) with justification
  • Auto-fix engine for automated remediation
  • Carbon footprint estimation (ESG)
  • Secret scanner with remediation guidance
  • Blast radius scoring per control
Fixes & Infrastructure
  • Favicon added to web UI
  • Permitted Git workflow documented
v0.1.1 Beta March 2026
  • Release workflow corrected for GitHub Actions PyPI publishing
  • Release workflow fix attempt
v0.1.0 Beta March 2026
New Features
  • Alicloud, Yandex Cloud, Oracle Cloud support
  • Executive summary & decision board in PDF reports
  • Multi/split report mode for per-pillar reports
  • Intentional skip support with skip file
  • Risk estimation in PDF reports
  • OpenStreetMap integration & regional spread map
  • Regulatory mapping (GDPR, BSI, ISO 27001)
Engine & Fixes
  • Dynamic pillar loading without code changes
  • PDF export of compliance results
  • Security pillar (Pillar 1) checks
  • Financial impact split into distinct root groups
  • CLI skip file path resolution corrected
Initial Commit February 2026

WAFPass repository initialized.

Critical Paths
Internet-facing entry
High Severity
Significant risk paths
Entry Points
5
Public-facing surfaces
Data Stores at Risk
4
Potentially reachable
Attack Surface ←→
INTERNET PERIMETER APPLICATION DATA STORE CORE
Attack Graph
Select a path card below to highlight its attack chain
INTERNET PERIMETER APPLICATION DATA STORE CORE NET Internet Attacker S3 S3 Bucket Public ACL ALB Load Balancer Public EC2 EC2 Instance Public IP APP App Server EC2/ECS λ Lambda Function ECS Container ECS/Fargate RDS Database Critical Data S3 S3 Data Private DDB DynamoDB Table IAM IAM Full Access SM Secrets Mgr Credentials KMS KMS Keys Encryption
Attack Chains

These exploit paths are illustrative attack chains based on common cloud misconfiguration patterns aligned to WAF++ controls. They represent theoretical attack scenarios; actual exploitability depends on your specific infrastructure configuration and compensating controls in place.

Edit Waiver —

New Control

Step of 7 — ·
Describe in plain language what your infrastructure must enforce. This becomes the control description that engineers will read in scan results.
Choose the security pillar this control belongs to. It determines the control ID prefix and how findings are categorised.
Auto-suggested from pillar prefix. Edit freely — must be unique.
Select one or more control types that describe how this control is enforced. Choose all that apply.
Select at least one type to continue.
Define individual checks that implement this control. Each check maps to a specific engine assertion.
No checks yet. Click "+ Add check" to define a check.
Review the generated YAML before saving. Use Previous to go back and make edits. 

        
        

          
Validation

          

            
          

        

      


      
      

        
        

          

            
            

              
Control saved (demo mode)

              

                 is ready for export.
              

            

          

          

            
Export

            

              
            

          

          

            
Use with wafpass CLI

            

          

        

        
        

          

            
ID

            
Pillar

            
Severity

            
Types

            
Checks

          

          
          

            Go back and fix validation errors before saving.
          

        

      


    


    
    

      
      

      

        
        
      

    

  








  

    
    

      

        

          
        

        

          
How to Implement

          
Integration guide for WAF++ controls

        

      

      
    


    
    

      Mode:
      

        
        
      

    


    
    

      
      
      
      
    


    
    


      
      

        

          

            WAF++ CLI is the primary way to run controls against Terraform infrastructure. Install it with pip and point it at your IaC.
          

          

            
1. Install

            
pip install wafpass

          

          

            
2. Run a scan

            
wafpass scan --path ./terraform

          

          

            
3. Get a score report

            
wafpass scan --path ./terraform --output json > results.json

          

        

      


      
      

        

          

            
From a local controls folder

            
Drop your YAML control files in a controls/ directory and point wafpass at it:

            
wafpass scan --path ./terraform --controls ./controls/

          

          

            
From wafpass-server (DB)

            
Start wafpass-server locally and use the --controls-db flag to pull custom controls:

            
# Start the server
docker run -p 8000:8000 ghcr.io/waf-plus-plus/wafpass-server:latest

# Scan using DB controls
wafpass scan --path ./terraform --controls-db http://localhost:8000

          

        

      


      
      

        

          

            Push scan results to wafpass-server so this dashboard can visualise posture over time.
          

          

            
Push results to dashboard

            
wafpass scan --path ./terraform --push http://your-server:8000

          

          

            
View in dashboard

            
open http://your-server:8000

          

        

      


      
      

        

          

            Use the Download Checkov Pack button to get Python stubs for all controls, then load them as external Checkov checks.
          

          

            
1. Install Checkov

            
pip install checkov

          

          

            
2. Download & extract the pack

            
# Click "Download Checkov Pack" above, then:
unzip wafpass_checkov_pack_*.zip

          

          

            
3. Run Checkov with custom checks

            
checkov -d ./terraform --external-checks-dir ./wafpass_checks/

          

        

      


      
      

        

          

            Each Python stub in the pack is a BaseResourceCheck subclass with a scan_resource_conf method. Replace the raise NotImplementedError with your actual check logic.
          

          

            
Example stub

            
def scan_resource_conf(self, conf):
    # Check that encryption is enabled
    enc = conf.get("server_side_encryption", [{}])
    if enc and enc[0]:
        return CheckResult.PASSED
    return CheckResult.FAILED

          

          

            
Folder structure

            
wafpass_checks/
├── __init__.py
├── WAF-SEC-001.py
├── WAF-SEC-002.py
└── ...

          

        

      


      
      

        

          

            Add WAF++ controls as a step in your GitHub Actions pipeline to enforce compliance on every PR.
          

          

            
GitHub Actions example

            
name: WAF++ Compliance Check

on: [pull_request]

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install Checkov
        run: pip install checkov

      - name: Download WAF++ Checkov Pack
        run: |
          curl -sSL https://your-server:8000/api/checkov-pack \
            -o wafpass_checkov_pack.zip
          unzip wafpass_checkov_pack.zip

      - name: Run WAF++ Checkov checks
        run: |
          checkov -d ./terraform \
            --external-checks-dir ./wafpass_checks/ \
            --output github_failed_only \
            --soft-fail