Infrastructure compliance,
fully visualized.
WAFPass 1.0 is the complete compliance platform for modern infrastructure. Parse your IaC, evaluate controls, explore results in the browser, and generate auditor-ready reports — all in one integrated stack.
Three layers. One compliance workflow.
WAFPass isn't just a CLI — it's a three-layer stack for engineering teams who need continuous compliance without compromising speed.
CLI Engine
The core evaluation engine. Parses Terraform, AWS CDK, and more. Runs in CI/CD pipelines. No cloud credentials needed.
Dashboard
22+ pages of visual exploration. Findings, drift, exploit paths, secret scanner results — explore everything and export evidence packages.
Server API
FastAPI persistence layer. Stores runs, waivers, risk acceptances, secrets, and audit events. PostgreSQL with automatic migrations.
One pane of glass for every region.
The Global Operations Center gives compliance leads and CISOs a real-time view of the entire compliance posture — across all projects, regions, and deployment stages.
Drill from global heat-map to a single failing control.
Color-coded region tiles instantly show where your infrastructure stands. A red tile means active findings — click to navigate directly to the failing controls, the project they belong to, and the engineer responsible.
Track deployment spread, sovereign boundaries, and cross-region compliance deltas — without switching between cloud consoles or manual spreadsheets.
Every view tells you what to do next.
WAFPass surfaces compliance data in ways that make the next action obvious — whether you're a CISO reviewing posture or an engineer fixing a FAIL.
Every compliance run, tracked in real time.
Every time WAFPass evaluates your infrastructure, a fully documented run is created — with timestamps, changed controls, pillar-level pass rates, and the team member who triggered it.
Compare runs side-by-side to catch regressions instantly. Each run links directly to the full passport for the evaluated project, so nothing slips through unnoticed.
Never ship a hardcoded credential.
WAFPass scans every IaC file for hardcoded API keys, tokens, passwords, and certificates — before they reach your repository or your cloud.
Each finding includes the exact file path, line number, matched pattern, and remediation guidance. Built-in suppression with a full audit trail.
Audit evidence, generated automatically.
Every compliance run produces evidence packages that map directly to your certification frameworks. The Evidence Locker organizes them by framework, control, and date — always up to date, always ready to share.
Share read-only evidence links with auditors without exporting anything manually. Packages include pass/fail summaries, waiver documentation, and timestamped screenshots.
From finding to fix — faster.
Every FAIL opens a structured sprint plan. Findings are grouped by pillar and severity, auto-fix suggestions are generated for the most common patterns, and ownership is assigned in seconds.
Track progress as findings close. Each fix links back to the triggering run, the responsible team member, and the associated Jira or RFC ticket — nothing falls off the radar.
Compliance metrics that live in your pipeline.
WAFPass tracks control pass rates across every CI/CD run. Trend lines per pillar show whether your compliance posture is improving or degrading — run after run, sprint after sprint.
Set threshold gates: a pipeline stage fails if a pillar drops below a configured pass-rate target. Every gate decision is logged and fully traceable back to the code change that caused it.
See where you are. Know where to go.
The Maturity Journey maps your current compliance posture against the WAF++ maturity model — from baseline through to advanced governance. Each level shows what's implemented, what's missing, and what the next milestone looks like.
Track your team's compliance progress over time.
The Maturity Journey view visualizes your path from initial baseline controls to full governance maturity. Each stage is tied to specific WAF++ pillars, so you always know which controls to prioritize next.
Generate maturity reports for leadership or certification auditors that clearly show the arc of progress — not just a point-in-time snapshot, but a trajectory with milestones and dates.
Built for every role on your team.
From the CISO who needs the executive view to the engineer who needs the line-level detail — WAFPass has a view for every stakeholder.
Controls Overview
Browse, filter, and search every WAF++ control by pillar, severity, and framework mapping. See exactly which controls cover which compliance requirements — at a glance.
Module Breakdown
Per-Terraform-module pass rate. See which modules drive the most failures — prioritise remediation by actual impact, not just control count or severity score.
API Key Management
Issue, rotate, and revoke API keys per project. Scope keys to read-only or read-write. Every key action is logged with the issuing user and timestamp.
SSO & Identity
SAML 2.0 and OIDC integration out of the box. Map identity provider groups to WAFPass roles automatically — no manual user provisioning required.
Project & User Mapping
Assign engineers to projects with fine-grained permissions. Visibility is scoped to what each role actually needs — no over-exposure of sensitive compliance data.
Run Check Overview
Drill into the individual control results for any run. Filter by PASS, FAIL, SKIP, or WAIVED. Sort by pillar, severity, or blast radius and export for reporting.
A full compliance record for every project.
Each project gets a Compliance Passport — a structured record of its current posture, historical runs, waiver log, and framework mappings. It's the single source of truth for auditors and your team.
One document. Every compliance fact.
The Passport Details view consolidates every piece of evidence for a project into a single, exportable document — control results, waiver history, framework coverage, and risk acceptances with approver signatures.
Share a read-only passport link with certification auditors. Everything they need is in one place, structured exactly how frameworks require it. No manual assembly, no spreadsheets.
Four perspectives. One compliance standard.
WAFPass evaluates your infrastructure through four complementary lenses — making compliance decisions traceable, repeatable, and auditable.
P — Platform
Baseline Controls
Tagging strategies, resource configuration, account-level guardrails — automatically evaluated on every run.
S — Strategy
Governance as Code
Policy enforcement as code — strategic decisions remain consistent over time and across teams.
A — Architecture
Network & Residency
Network topology, data residency, sovereignty — provider-neutral WAF++ controls.
S — Standards
Zero-Trust Security
IAM least-privilege, encryption-at-rest, hardening controls — outcomes: PASS, FAIL, SKIP, WAIVED.
Beyond pass and fail.
WAFPass layers deep compliance intelligence on top of control checks — making risk prioritisation concrete and actionable.
Terraform Plan Analysis
Parse plan output and evaluate security, compliance, and blast-radius impact of pending changes — before terraform apply.
Exploit Path Analysis
Visualise attack chains that lead to failing controls. Severity badges and direct remediation links make risk prioritisation concrete.
Blast Radius Assessment
Each control carries a blast radius score quantifying potential failure impact. Prioritise remediation by actual risk exposure, not arbitrary severity.
Drift Detection
Controls that change status between runs without explicit code changes are surfaced instantly — caught before production drift becomes a problem.
Carbon Footprint & ESG
The ESG module estimates the carbon impact of each cloud workload decision. Tracked per control and included in PDF compliance reports.
Waivers & Risk Acceptance
Intentionally skip controls with written justification. Risk acceptances include approver, RFC/Jira links, expiry dates — fully traceable.
Controls Upgrade
When new WAF++ controls ship, see exactly what changed, which controls are new, and what the posture impact will be — before you upgrade your control set.
Deployed Region Map
Track which cloud regions have active deployments, their compliance status, and which projects are mapped to each region — from a single operations view.
How the components connect.
Each component is independently deployable. Use just the CLI for CI/CD pipelines. Add server and dashboard when you need persistent history and visual exploration.
Terraform, AWS CDK
SEC, COST, PERF, REL, OPS, SUS, SOV, AGENTIC
Equals, not, exists, cidr, range, and more
Deploy in minutes, not days.
The Implementation Overview walks through every step — from installing the CLI to connecting the server and spinning up the dashboard. Each component has a dedicated setup path for local, Docker, and Kubernetes deployments.
First-run detection guides new teams through project creation and initial control evaluation automatically. No blank-slate configuration required to get your first compliance run.
Your global infrastructure footprint, in one view.
The Deployed Region Map shows every active cloud region where WAFPass-evaluated infrastructure lives. Compliance status, project count, and sovereignty zone are visible per region — without clicking into individual projects.
Ideal for cloud architects and compliance officers who need to understand where data is processed, stored, and evaluated, in relation to GDPR residency requirements or sovereign cloud constraints.
Upgrade your controls with confidence.
When new WAF++ controls ship, the Controls Upgrade view shows exactly what's changed — new controls added, existing controls modified, and deprecated controls flagged. Preview the full posture impact before you apply the upgrade.
Upgrade incrementally or all-at-once. Rollback is always available, and every upgrade is logged with the user who applied it, the controls changed, and the resulting posture delta.
Ready to validate your infrastructure?
Download the WAF++ controls, run WAFPass against your Terraform or CDK code, and get a full compliance report in minutes.