Export PDF

No scan results yet

Run a scan against your IaC directory to see your security posture.

WAF++ Score
/100
Score by Pillar
Cloud Footprint
Regions
Failed Controls by Severity
Critical & High Failures
No critical or high failures — great work!
Pass Rate by Category
Run a scan to see category breakdown.
Regulatory Readiness
No regulatory mappings found in scan results.
Architectural Debt Heatmap
Low
High
Quick Wins
Medium & low severity failures — lower effort to remediate
No controls match your filters.

No scan results yet. Run a scan first.

Open in IDE:
Control Pillar Severity Status Checks

Run a scan to see pass/fail compliance status per jurisdiction. Control mappings are shown regardless.

No regulatory mappings found in control library.

Waivers allow you to intentionally accept risk for specific controls. They are exported as .wafpass-skip.yml.

No waivers configured. Add waivers from the Controls Library.
Total Accepted
Active
Expiring in 30d
Overdue / Expired

Formal risk acceptances require approver sign-off, an RFC or ticket reference, and a defined residual risk level.

No risk acceptances recorded. Click Add Risk Acceptance to begin.

Tip: Only controls with findings will impact your score.

Approval
Risk Classification
Timeline

Required fields: Control, Justification, Approver

Deployed Regions

Region List

No deployed regions detected. Run a scan first to see cloud region data.
sandbox.tf
HCL · Terraform
UTF-8

Load a template or paste your Terraform,
then click Run Sandbox Scan.

Evaluating controls…

Remediation ROI industry benchmarks
Est. Annual Risk
if left unaddressed
Savings if Fixed
estimated risk reduction
Fix Effort
engineering hours est.
Controls to Fix
failing controls
/100
Pass
Fail
Skip
No controls matched the code. Try a different template or pillar filter.

Scan Configuration

Absolute or relative path to your Terraform (or other IaC) files.

Maturity Level

Select the level that reflects your organisation's current cloud compliance posture. Selecting a level pre-configures recommended feature defaults — you can still adjust any setting individually below.

Level 1
Foundational
Getting started with cloud compliance
  • Critical & High severity only
  • Security & Cost pillars (P1–P2)
  • Fast feedback, minimal overhead
  • Intelligence features off
  • No regulatory framework req.
Startup / Early-stage
Level 2
Operational
Running compliance as standard practice
  • Medium+ severity, all active pillars
  • Waivers, risk register, PDF reports
  • Secret scanner + blast radius on
  • GDPR, BSI C5, ISO 27001 mapped
  • Auto-fix & ESG tracking off
GDPR BSI C5 ISO 27001
Level 3
Optimised
Continuous compliance at scale
  • All severities, all 7 pillars
  • Full intelligence suite enabled
  • Auto-fix engine + ESG/carbon tracking
  • Full audit trail, multi-pillar reports
  • All regulatory frameworks mapped
GDPR BSI C5 ISO 27001 SOC 2 NIS2 HIPAA

General Settings

Scan Defaults

These defaults pre-fill the Run Scan form and are passed as CLI flags when generating commands.

Intelligence Features

Enhanced analysis modules that run alongside the core control checks. Disabling them speeds up scans in resource-constrained environments.

Secret Scanner
Detect exposed API keys and credentials in IaC
Auto-fix Engine α
Generate concrete remediation patches for FAIL controls
Carbon & ESG Tracking
Estimate carbon footprint per control, included in PDF
Blast Radius Display
Show impact score per control to prioritise remediation
Reporting

Control how scan results are presented and exported.

Auto-open PDF after export
Automatically open the generated PDF report in a new tab

Settings are persisted in browser local storage and survive page reloads.

Public beta — WAFPass v1.0 is planned alongside Framework v1.0, shortly before 12 May 2026. All versions below v1.0 are beta. The API, controls, and scoring model may still change.

Installation

Requirements
Python 3.10+ Terraform .tf files or CDK project WAF++ Controls (YAML) No cloud credentials required
From GitHub Release

Download the .whl artifact from the latest release and install it via pip.

# Download from GitHub Releases
pip install wafpass-0.3.0-py3-none-any.whl
From Source

Clone the repository and install in editable mode. Works with pip or uv.

# Standard pip
pip install -e .

# Or with uv (faster)
uv pip install -e .
Quick Start
# 1. Download WAF++ controls into a local controls/ directory
#    (from the WAF++ framework repo or author your own YAML controls)

# 2. Run a scan against your IaC directory (Terraform default)
wafpass check ./infra/

# 3. Specify IaC framework explicitly
wafpass check ./infra/ --iac terraform

# 4. Multi-cloud / multi-path scan
wafpass check ./aws ./azure ./gcp

# 5. Launch the web UI dashboard
wafpass ui start
# → http://localhost:8080

# 6. Export a PDF compliance report
wafpass check ./infra/ --output pdf
CI/CD Integration

Use --fail-on fail to break pipelines on control failures. Native GitHub Actions and GitLab CI examples are available in the documentation. Intentional exceptions go in .wafpass-skip.yml and appear as WAIVED in reports without breaking CI.

Release History

v0.3.0 Beta Current March 2026
New Features
  • Web UI dashboard for compliance visualization
  • Mobile-responsive dashboard theme
  • Deployed regions in compliance output
  • Sandbox environment support
  • Risk acceptance (waivers) with justification
  • Auto-fix engine for automated remediation
  • Carbon footprint estimation (ESG)
  • Secret scanner with remediation guidance
  • Blast radius scoring per control
Fixes & Infrastructure
  • Favicon added to web UI
  • Permitted Git workflow documented
v0.1.1 Beta March 2026
  • Release workflow corrected for GitHub Actions PyPI publishing
  • Release workflow fix attempt
v0.1.0 Beta March 2026
New Features
  • Alicloud, Yandex Cloud, Oracle Cloud support
  • Executive summary & decision board in PDF reports
  • Multi/split report mode for per-pillar reports
  • Intentional skip support with skip file
  • Risk estimation in PDF reports
  • OpenStreetMap integration & regional spread map
  • Regulatory mapping (GDPR, BSI, ISO 27001)
Engine & Fixes
  • Dynamic pillar loading without code changes
  • PDF export of compliance results
  • Security pillar (Pillar 1) checks
  • Financial impact split into distinct root groups
  • CLI skip file path resolution corrected
Initial Commit February 2026

WAFPass repository initialized.

No Scan Results Yet
Run a scan first — exploit paths are derived from your actual failing controls and affected resources.
Critical Paths
Internet-facing entry
High Severity
Significant risk paths
Affected Resources
Unique failing resources
Active Chains
Based on current scan

No active exploit chains detected — no relevant security controls are currently failing in this scan.

Attack Surface ←→
INTERNET PERIMETER APPLICATION DATA STORE CORE
Attack Graph
Select a path card below to highlight its attack chain
INTERNET PERIMETER APPLICATION DATA STORE CORE NET Internet Attacker S3 S3 Bucket Public ACL ALB Load Balancer Public EC2 EC2 Instance Public IP APP App Server EC2/ECS λ Lambda Function ECS Container ECS/Fargate RDS Database Critical Data S3 S3 Data Private DDB DynamoDB Table IAM IAM Full Access SM Secrets Mgr Credentials KMS KMS Keys Encryption
Attack Chains

Exploit chains are derived from controls that are actively failing in your scan. Affected resources shown are the specific Terraform resources that triggered failures. Exploitability depends on your runtime compensating controls and network configuration beyond IaC scope.

Edit Waiver —

WAF++ Flight Operations Center

Your Maturity Journey

Every aircraft that carries passengers through the sky began as metal in a hangar with an incomplete maintenance log. This is the story of your cloud infrastructure — from ground crew to cruise altitude.

Current Altitude
Flight Stage
Maturity Level
Boarding Pass · Project Passport
From
LGCY
Legacy IaC
To
EXCL
Cloud Excellence
Passenger
Gate
Seat
Controls
Waivers
Risk Acc.
Flight No.
WAF-PASS

Aircraft is in the hangar

Run your first scan to begin the journey and receive your boarding pass.

Flight Map

Six stages from cold metal to cruising altitude. Your current position is shown below.

The Story of Each Stage

Click any stage to expand the full narrative and control focus areas.

🏗
Stage 0 — The Hangar Score: 0 – 19 pts ← You Are Here Cleared
"The aircraft sits in the hangar. Nobody has run a preflight check."

The Situation

The aircraft sits in the hangar. Maintenance logs are incomplete. The pre-flight checklist hasn't been run. No clearance has been requested from the control tower. This isn't an aircraft ready to carry passengers — it's metal waiting to be prepared.

In infrastructure terms: public buckets, no encryption, default credentials, no logging. An attacker doesn't need to be sophisticated here — they just need to show up. The threat model is "everyone," and the blast radius is "everything."

Priority Controls

  • Install WAF++ and run your first scan — get a baseline score
  • Eliminate all S3 public-access, exposed databases, public ACLs
  • Enable encryption at rest on all storage resources
  • Enforce TLS/HTTPS everywhere — no plaintext transport
  • Enable CloudTrail / audit logging — if you can't see it, you can't defend it
🔍
Stage 1 — Pre-Flight Check Score: 20 – 39 pts ← You Are Here Cleared
"Ground crew has arrived. Each system gets a pass or a red flag."

The Situation

The ground crew has arrived. Fuel checks, tire pressure, hydraulic fluid — each system gets evaluated. You're not ready to fly yet, but you know exactly what needs fixing.

The most dangerous aircraft isn't the one with known problems — it's the one where nobody looked. You've looked. Now the work of resolving the critical red flags begins in earnest. IAM policies need tightening. Secrets are drifting through environment variables. Encryption is patchy.

Good news: every finding is an opportunity. You have a manifest. Work the list.

Priority Controls

  • Tighten IAM — no wildcards on critical actions, no *:* policies
  • Enable secret scanning — rotate any secrets found in IaC immediately
  • Lock down security groups — default-deny inbound, whitelist only what's required
  • VPC flow logs — understand all traffic before you trust any traffic
  • Enable MFA on all privileged accounts — passwords alone are not a door, they're a note on a door
🚀
Stage 2 — Boarding & Taxi Score: 40 – 59 pts ← You Are Here Cleared
"Boarding complete. Taxi to runway. Control tower has you on radar."

The Situation

Passengers are boarded. Doors are armed. You've requested taxi clearance and control tower has you on radar. There's still turbulence ahead — some systems aren't where they need to be — but the aircraft is moving under its own power, and the crew knows the plan.

This is where operational discipline begins to differentiate teams. The risk register is no longer "we have no idea" — it's a formal document. Waivers are documented, not hidden. Someone has signed their name next to the accepted risks. That accountability matters.

You're on the taxiway. The runway is ahead. Don't take off with a door still open.

Priority Controls

  • Formalize risk acceptances — every accepted risk needs an approver, a reason, and an expiry
  • Deploy WAF in front of all internet-facing workloads — web application firewall, not cloud-native defaults
  • Enable backup policies — RTO/RPO targets need to be enforced by configuration, not prayer
  • Tag every resource — cost accountability is security accountability
  • Understand your blast radius — use the Exploit Paths visualizer now
Stage 3 — Takeoff Roll Score: 60 – 74 pts ← You Are Here Cleared
"V1 — no turning back. Engines at full thrust. The runway is disappearing."

The Situation

V1. No turning back. The engines are at full thrust, the runway is disappearing beneath you, and the nose is beginning to lift. You've committed to the flight.

At this stage, automated gates mean new IaC can't bypass the checklist. WAF++ is running in CI/CD. Every pull request goes through the same controls your production environment enforces. The ground crew doesn't just check the aircraft before each flight — they're embedded in the engineering process.

Compliance frameworks are no longer aspirational — GDPR and ISO 27001 coverage is measurable, reportable, and mapped. Auditors get a PDF. Engineers get a CI gate.

Priority Controls

  • Integrate wafpass check into CI/CD — fail pipelines on critical findings
  • Upgrade to Operational maturity level in Settings — unlock blast radius and advanced controls
  • Map compliance frameworks — run the Compliance Matrix export for GDPR, ISO 27001
  • Multi-region deployment strategies — single region is a single point of failure
  • Implement cost anomaly detection — unexpected spend is often the first signal of a compromise
🛫
Stage 4 — Cruise Altitude Score: 75 – 89 pts ← You Are Here Cleared
"35,000 feet. Autopilot engaged. Coffee is being served in business class."

The Situation

Altitude captured. Autopilot engaged. The cabin crew is serving drinks. Your infrastructure is being actively monitored, risks are formally accepted and documented, and new deployments are gated against the control library. You are, in aviation terms, en route.

The difference between here and the previous stage isn't just score — it's culture. Security has moved left. It's not a review at the end of the sprint; it's a constraint at the beginning. Engineers ask "does this pass the WAF?" before they write the Terraform.

Sovereignty controls are active. You know exactly where your data lives and why. Carbon tracking gives you a second metric to optimize around. Performance baselines exist.

Priority Controls

  • Activate Optimised maturity level — enable Auto-Fix, carbon tracking, full pillar coverage
  • Data residency controls — ensure all PII/sensitive data has explicit region locking
  • Performance right-sizing — over-provisioned resources are wasted budget and attack surface
  • BSI C5 and EUCS coverage — prepare for European regulatory requirements proactively
  • Architect the Sandbox test suite — run new patterns through the sandbox before deploying
🏁
Stage 5 — Final Approach Score: 90 – 100 pts ← You Are Here
"Flaps down. ILS locked. ATC cleared you for landing. You've earned your PASS."

The Situation

Flaps down. Landing gear extended. ILS signal locked. ATC has cleared you for landing. Your security posture is optimized — the controls are green, the waivers are documented, the compliance matrix is mapped, and the risk register is current.

You've earned your WAF++ PASS. This is what a cleared aircraft looks like: every system checked, every risk formally acknowledged, every framework covered. Security is not something that happens to your infrastructure — it's something your infrastructure is.

The runway is behind you. The hangar is a distant memory. The only remaining flight plan is continuous improvement — because the destination is a standard, not a location. Every new service provisioned is a new pre-flight check.

The Excellence Standard

  • All critical and high controls passing — zero unacknowledged critical findings
  • All compliance frameworks mapped and reportable — GDPR, ISO 27001, BSI C5, EUCS
  • Risk acceptance register complete — every accepted risk has an owner, RFC, and expiry
  • Continuous scanning in CI/CD — no deployment lands without a passing WAF score
  • Optimised maturity level active — sustainability, performance, and auto-fix enabled

Project Passport

Compliance frameworks and infrastructure pillars you've cleared. Each stamp is earned, not assumed.

Compliance Frameworks
Infrastructure Pillars

Next Waypoints

The top failing controls on your current heading. Clear these to advance your stage.

No active waypoints — all controls are cleared

Every failing control has been resolved, waived, or formally accepted. You are cleared for final approach.

Flight Manual · Chapter 1

Why This Journey Matters

Cloud security isn't a checklist you complete once. It's an operating standard you maintain continuously. The WAF++ control library encodes the collective knowledge of cloud security into executable, automatable checks. Each control represents a class of attack, a compliance requirement, or an operational failure mode that has been observed, documented, and encoded into policy.

Flight Manual · Chapter 2

How Scoring Works

The score is weighted by severity. Critical findings carry 10× the weight of low findings. A single unpatched critical IAM misconfiguration suppresses the score more than ten low-severity tagging violations. This is intentional — not all risks are equal, and your roadmap should reflect that reality. Fix the critical controls first. The score will follow.

Flight Manual · Chapter 3

When to Accept Risk

Not every control can be immediately remediated. Legacy systems, vendor constraints, and architectural trade-offs are real. The WAF++ risk acceptance workflow exists precisely for these cases — document the risk, name the approver, set an expiry. A waiver with an owner and a date is infinitely better than an undocumented deviation. Formal acceptance is not a failure state. It's operational maturity.

WAF++ Flight Operations Center

Welcome Aboard

Your cloud infrastructure is an aircraft. Before any aircraft carries passengers, it undergoes a rigorous pre-flight check. That's exactly what WAF++ does for your IaC — systematically, repeatably, every time.

The Maturity Journey tracks your progress from the hangar to cruise altitude — with a story at every stage, a passport of compliance stamps you've earned, and the next waypoints to reach your destination.

Your Current Stage

You can return to the Maturity Journey any time via the left sidebar.