Validate IaC.
Ship with confidence.
WAFPass automatically checks your infrastructure-as-code against WAF++ controls — Terraform, AWS CDK, and more. Static analysis. No cloud credentials. No runtime state. Results in seconds.
Platform · Architecture · Strategy · Standards
WAFPass applies four PASS perspectives as automated checks — making compliance decisions traceable, repeatable, and auditable across any cloud and any IaC framework.
Validates tagging strategies, resource configuration, and account-level guardrails — automatically, every run.
Checks network topology, data residency, and sovereignty requirements against provider-neutral WAF++ controls.
Enforces governance and cost policies as code — so strategic decisions hold over time and across teams.
Applies zero-trust principles, IAM least-privilege, encryption-at-rest, and security hardening controls directly to your IaC — evaluated per-resource with PASS, FAIL, SKIP, or WAIVED outcomes for every check. The most opinionated PASS perspective, backed by WAF++ security controls mapped to GDPR, BSI C5, ISO 27001, SOC 2, and HIPAA.
Not just Terraform
WAFPass uses a plugin architecture — the same controls work across multiple IaC frameworks without changing the engine or the YAML definitions.
Parses .tf files with HCL2. Works before terraform apply — no plan file, no state, no cloud access required.
Reads synthesised CloudFormation templates from cdk.out/. Run cdk synth, then WAFPass — no CDK CLI at runtime.
Plugin skeletons are in place — ready for community contribution. The same YAML controls work once the plugin is implemented.
Pass multiple paths to scan IaC spread across providers in one run: wafpass check ./aws ./azure ./gcp — unified report.
From code to compliance in three steps
WAFPass follows a simple, predictable execution flow — no cloud access, no agents, no magic. Just your IaC files and the WAF++ controls.
Run wafpass check <PATH> against a file or directory — Terraform .tf files or a CDK project (after cdk synth). Select the plugin with --iac terraform or --iac cdk. Multi-cloud: pass multiple paths in one command.
WAFPass parses your IaC via the selected plugin and applies YAML control assertions across all 7 pillars using 20+ operators. Controls are engine-tagged — Terraform checks only run against Terraform, CDK checks against CDK. Filter by pillar, control ID, or severity.
Every control produces PASS, FAIL, SKIP, or WAIVED — with clear remediation guidance for every failure and recorded justifications for intentional waivers. Aggregated into a PDF report ready for teams, ADRs, or auditors.
Three tools. One stack.
WAFPass v0.4.0 is a modular ecosystem — each component has a clear, independent responsibility and can be deployed standalone or together.
wafpass
CLI · Evaluation Engine Python · Apache 2.0The core of the ecosystem. Parses IaC (Terraform, AWS CDK), evaluates YAML controls across all 7 WAF++ pillars, and produces structured results. Every other component in the stack consumes what the CLI produces. Runs entirely offline — no cloud credentials, no runtime state.
wafpass-dashboard
React / Vite SPA Docker + nginx · Apache 2.0The browser-based visualisation layer. Connects to wafpass-server and renders control results, compliance state, exploit paths, Terraform plan changes, run history, waivers, risk acceptances, and audit events. Deployed as a self-contained Docker container served behind nginx — works standalone or as part of the full stack.
wafpass-server
FastAPI / PostgreSQL Docker · Apache 2.0The persistence and API layer. Stores run results, control metadata, secret findings, waivers, and risk acceptances in PostgreSQL. Exposes a typed REST API (with OpenAPI docs) consumed by wafpass-dashboard. Alembic migrations run automatically on container startup — no manual schema management required.
/api/docs
Production-ready Docker image with GitHub Actions release workflow
Each component is independently deployable. Use just the CLI for CI/CD pipelines. Add the server and dashboard when you want persistent history and visual exploration.
Full-stack visualisation layer
WAFPass v0.4.0 is a three-component architecture: the CLI remains the evaluation engine, wafpass-dashboard (React / Vite SPA, Docker + nginx) visualises results in the browser, and wafpass-server (FastAPI / PostgreSQL) persists runs, controls, waivers, risk acceptances, and secret findings via a REST API.
Dashboard, Compliance, Gap Analysis, Findings, Changes & Drift, Blast Radius, Secret Scanner, Module Scores, Cost Impact, Evidence, Audit Log, Run Comparison, Waivers, Risk Acceptance, Architect Sandbox, and more — each a dedicated page with filtering, drill-down, bulk actions, and deep links.
Visualises resource-level changes from a Terraform plan dry-run before terraform apply. A dedicated drift view surfaces controls that changed status between runs without a code change.
Attack chains that lead to a failing control state are visualised with severity badges and direct remediation links. Blast radius graphs show the propagation of failures across dependent resources.
Generate a self-contained timestamped HTML report with passing controls mapped to SOC2, ISO 27001, PCI-DSS, GDPR, BSI C5, and HIPAA — plus active waivers, risk acceptances, and audit event log. Print to PDF for submission.
wafpass-server stores run results, secret findings, waivers, and risk acceptances in PostgreSQL via Alembic-managed migrations. Containerised with automatic migration on startup — ready for production deployment.
Built for real engineering workflows
WAFPass is a continuous compliance gate — not a checkbox tool. Every feature is built around how engineers actually ship infrastructure.
Automated Validation
20+ assertion operators evaluate IaC resources against controls — fully automated for static analysis, clearly flagged for runtime checks that require cloud state.
Pillar & Severity Filtering
Run checks for a single pillar, a set of control IDs, or a minimum severity level — --pillar cost, --controls WAF-SEC-001, --severity high.
CI/CD Integration
Native GitHub Actions and GitLab CI examples included. Configurable exit codes via --fail-on fail|skip|any — block merges on real violations only.
Intentional Waivers
Skip controls on purpose with a written justification in .wafpass-skip.yml. WAIVED controls appear in PDF reports and never break CI — even when expired, you get a warning, not a failure.
Remediation Guidance
Every FAIL includes clear guidance on what needs to change — no guessing, no manual cross-referencing. Guidance is part of the control YAML, so it's version-controlled too.
PDF Compliance Reports
Generate a shareable PDF with --output pdf. Includes findings, severity, remediation, and a waived-controls table — ready for auditors, ADRs, or security reviews.
Policy Version Tracking
Each control carries a policy version field. WAFPass detects stale controls that are out of date against the current framework version — keeping your control library in sync as WAF++ evolves.
Settings Persistence
CLI and dashboard settings — API URL, report preferences, thresholds — are persisted across sessions. Configure once per environment and never repeat yourself between runs.
Beyond pass and fail
WAFPass layers deep compliance intelligence on top of control checks — Terraform plan dry-run analysis, exploit path tracking, blast radius scoring, secret detection, drift detection, evidence packages, regulatory gap analysis, and environmental impact embedded into every scan.
Terraform Plan Analysis
WAFPass parses Terraform plan output and evaluates the security, compliance, and blast-radius impact of pending changes — before terraform apply runs. Catch regressions in your plan, not your production environment.
Exploit Path Analysis
Controls can expose the full attack chain that leads to a failing state — not just a binary result. Exploit paths are visualised in the dashboard with severity badges and direct remediation links, making risk prioritisation concrete.
Auto-fix Engine
For supported controls, WAFPass generates concrete remediation code — not just guidance text. Automated fixes are surfaced directly in the dashboard and CLI output, reducing the time from FAIL to merge.
Secret Scanner
Detects exposed secrets in IaC configurations — API keys, tokens, and credentials hardcoded in resource definitions or variable files — with actionable remediation guidance for every finding.
Blast Radius Assessment
Each control carries a blast radius score quantifying the potential failure impact. Teams can prioritise remediation by actual risk exposure, not just control severity or category.
Carbon Footprint & ESG
The ESG module estimates the carbon impact of each cloud workload decision. Tracked per control and included automatically in PDF compliance reports — sustainability evidence alongside security findings.
Simple to set up Beta
WAFPass requires Python 3.10+ and your existing IaC files. No cloud credentials, no runtime state — just your code and the controls.
Install from a GitHub release artifact (pip install wafpass-*.whl) or from source after cloning (pip install -e . / uv pip install -e .). No cloud dependencies — runs anywhere Python runs.
Terraform .tf files or a CDK project with cdk.out/. Point at a single file, a directory, or multiple paths for multi-cloud scans.
Copy controls from the WAF++ framework repo into a local controls/ directory, or download them below. Author your own YAML controls — same format, same engine.
PyPI will be available with v1.0. For now, install via a GitHub release artifact (latest: v0.4.0) or from source.
Maps to major frameworks
WAFPass controls are mapped to widely-used compliance frameworks — giving your PDF reports immediate context for auditors and stakeholders.
Data residency, encryption, and access control requirements.
BSI Cloud Computing Compliance Criteria Catalogue.
Systematic information security management controls.
Security, availability, and confidentiality controls.
Ready to validate your infrastructure?
Download the WAF++ controls, run WAFPass against your Terraform or CDK code, and get a full compliance report in minutes — no cloud access required.