Validate IaC.
Ship with confidence.
WAFPass automatically checks your infrastructure-as-code against WAF++ controls — Terraform, AWS CDK, and more. Static analysis. No cloud credentials. No runtime state. Results in seconds.
Platform · Architecture · Strategy · Standards
WAFPass applies four PASS perspectives as automated checks — making compliance decisions traceable, repeatable, and auditable across any cloud and any IaC framework.
Validates tagging strategies, resource configuration, and account-level guardrails — automatically, every run.
Checks network topology, data residency, and sovereignty requirements against provider-neutral WAF++ controls.
Enforces governance and cost policies as code — so strategic decisions hold over time and across teams.
Applies zero-trust principles, IAM least-privilege, encryption-at-rest, and security hardening controls directly to your IaC — evaluated per-resource with PASS, FAIL, SKIP, or WAIVED outcomes for every check. The most opinionated PASS perspective, backed by WAF++ security controls mapped to GDPR, BSI C5, ISO 27001, SOC 2, and HIPAA.
Not just Terraform
WAFPass uses a plugin architecture — the same controls work across multiple IaC frameworks without changing the engine or the YAML definitions.
Parses .tf files with HCL2. Works before terraform apply — no plan file, no state, no cloud access required.
Reads synthesised CloudFormation templates from cdk.out/. Run cdk synth, then WAFPass — no CDK CLI at runtime.
Plugin skeletons are in place — ready for community contribution. The same YAML controls work once the plugin is implemented.
Pass multiple paths to scan IaC spread across providers in one run: wafpass check ./aws ./azure ./gcp — unified report.
From code to compliance in three steps
WAFPass follows a simple, predictable execution flow — no cloud access, no agents, no magic. Just your IaC files and the WAF++ controls.
Run wafpass check <PATH> against a file or directory — Terraform .tf files or a CDK project (after cdk synth). Select the plugin with --iac terraform or --iac cdk. Multi-cloud: pass multiple paths in one command.
WAFPass parses your IaC via the selected plugin and applies YAML control assertions across all 7 pillars using 20+ operators. Controls are engine-tagged — Terraform checks only run against Terraform, CDK checks against CDK. Filter by pillar, control ID, or severity.
Every control produces PASS, FAIL, SKIP, or WAIVED — with clear remediation guidance for every failure and recorded justifications for intentional waivers. Aggregated into a PDF report ready for teams, ADRs, or auditors.
Built for real engineering workflows
WAFPass is a continuous compliance gate — not a checkbox tool. Every feature is built around how engineers actually ship infrastructure.
Automated Validation
20+ assertion operators evaluate IaC resources against controls — fully automated for static analysis, clearly flagged for runtime checks that require cloud state.
Pillar & Severity Filtering
Run checks for a single pillar, a set of control IDs, or a minimum severity level — --pillar cost, --controls WAF-SEC-001, --severity high.
CI/CD Integration
Native GitHub Actions and GitLab CI examples included. Configurable exit codes via --fail-on fail|skip|any — block merges on real violations only.
Intentional Waivers
Skip controls on purpose with a written justification in .wafpass-skip.yml. WAIVED controls appear in PDF reports and never break CI — even when expired, you get a warning, not a failure.
Remediation Guidance
Every FAIL includes clear guidance on what needs to change — no guessing, no manual cross-referencing. Guidance is part of the control YAML, so it's version-controlled too.
PDF Compliance Reports
Generate a shareable PDF with --output pdf. Includes findings, severity, remediation, and a waived-controls table — ready for auditors, ADRs, or security reviews.
Simple to set up Beta
WAFPass requires Python 3.10+ and your existing IaC files. No cloud credentials, no runtime state — just your code and the controls.
Install with pip install -e . or uv pip install -e . (recommended). No cloud dependencies — runs anywhere Python runs.
Terraform .tf files or a CDK project with cdk.out/. Point at a single file, a directory, or multiple paths for multi-cloud scans.
Copy controls from the WAF++ framework repo into a local controls/ directory, or download them below. Author your own YAML controls — same format, same engine.
PyPI availability planned for the v1 release. Follow the project on GitHub for updates.
Maps to major frameworks
WAFPass controls are mapped to widely-used compliance frameworks — giving your PDF reports immediate context for auditors and stakeholders.
Data residency, encryption, and access control requirements.
BSI Cloud Computing Compliance Criteria Catalogue.
Systematic information security management controls.
Security, availability, and confidentiality controls.
Ready to validate your infrastructure?
Download the WAF++ controls, run WAFPass against your Terraform or CDK code, and get a full compliance report in minutes — no cloud access required.