Export PDF

No scan results yet

Run a scan against your IaC directory to see your security posture.

WAF++ Score
/100
Score by Pillar
Cloud Footprint
Regions
Failed Controls by Severity
Critical & High Failures
No critical or high failures — great work!
Pass Rate by Category
Run a scan to see category breakdown.
Regulatory Readiness
No regulatory mappings found in scan results.
Architectural Debt Heatmap
Low
High
Quick Wins
Medium & low severity failures — lower effort to remediate
No controls match your filters.

No scan results yet. Run a scan first.

Open in IDE:
Control Pillar Severity Status Checks

Waivers allow you to intentionally accept risk for specific controls. They are exported as .wafpass-skip.yml.

No waivers configured. Add waivers from the Controls Library.
Total Accepted
Active
Expiring in 30d
Overdue / Expired

Formal risk acceptances require approver sign-off, an RFC or ticket reference, and a defined residual risk level.

No risk acceptances recorded. Click Add Risk Acceptance to begin.

Tip: Only controls with findings will impact your score.

Approval
Risk Classification
Timeline

Required fields: Control, Justification, Approver

Deployed Regions

Region List

No deployed regions detected. Run a scan first to see cloud region data.
sandbox.tf
HCL · Terraform
UTF-8

Load a template or paste your Terraform,
then click Run Sandbox Scan.

Evaluating controls…

Remediation ROI industry benchmarks
Est. Annual Risk
if left unaddressed
Savings if Fixed
estimated risk reduction
Fix Effort
engineering hours est.
Controls to Fix
failing controls
/100
Pass
Fail
Skip
No controls matched the code. Try a different template or pillar filter.

Scan Configuration

Absolute or relative path to your Terraform (or other IaC) files.

Maturity Level

Select the level that reflects your organisation's current cloud compliance posture. Selecting a level pre-configures recommended feature defaults — you can still adjust any setting individually below.

Level 1
Foundational
Getting started with cloud compliance
  • Critical & High severity only
  • Security & Cost pillars (P1–P2)
  • Fast feedback, minimal overhead
  • Intelligence features off
  • No regulatory framework req.
Startup / Early-stage
Level 2
Operational
Running compliance as standard practice
  • Medium+ severity, all active pillars
  • Waivers, risk register, PDF reports
  • Secret scanner + blast radius on
  • GDPR, BSI C5, ISO 27001 mapped
  • Auto-fix & ESG tracking off
GDPR BSI C5 ISO 27001
Level 3
Optimised
Continuous compliance at scale
  • All severities, all 7 pillars
  • Full intelligence suite enabled
  • Auto-fix engine + ESG/carbon tracking
  • Full audit trail, multi-pillar reports
  • All regulatory frameworks mapped
GDPR BSI C5 ISO 27001 SOC 2 NIS2 HIPAA

General Settings

Scan Defaults

These defaults pre-fill the Run Scan form and are passed as CLI flags when generating commands.

Intelligence Features

Enhanced analysis modules that run alongside the core control checks. Disabling them speeds up scans in resource-constrained environments.

Secret Scanner
Detect exposed API keys and credentials in IaC
Auto-fix Engine α
Generate concrete remediation patches for FAIL controls
Carbon & ESG Tracking
Estimate carbon footprint per control, included in PDF
Blast Radius Display
Show impact score per control to prioritise remediation
Reporting

Control how scan results are presented and exported.

Auto-open PDF after export
Automatically open the generated PDF report in a new tab

Settings are persisted in browser local storage and survive page reloads.

Public beta — WAFPass v1.0 is planned alongside Framework v1.0, shortly before 12 May 2026. All versions below v1.0 are beta. The API, controls, and scoring model may still change.

Installation

Requirements
Python 3.10+ Terraform .tf files or CDK project WAF++ Controls (YAML) No cloud credentials required
From GitHub Release

Download the .whl artifact from the latest release and install it via pip.

# Download from GitHub Releases
pip install wafpass-0.3.0-py3-none-any.whl
From Source

Clone the repository and install in editable mode. Works with pip or uv.

# Standard pip
pip install -e .

# Or with uv (faster)
uv pip install -e .
Quick Start
# 1. Download WAF++ controls into a local controls/ directory
#    (from the WAF++ framework repo or author your own YAML controls)

# 2. Run a scan against your IaC directory (Terraform default)
wafpass check ./infra/

# 3. Specify IaC framework explicitly
wafpass check ./infra/ --iac terraform

# 4. Multi-cloud / multi-path scan
wafpass check ./aws ./azure ./gcp

# 5. Launch the web UI dashboard
wafpass ui start
# → http://localhost:8080

# 6. Export a PDF compliance report
wafpass check ./infra/ --output pdf
CI/CD Integration

Use --fail-on fail to break pipelines on control failures. Native GitHub Actions and GitLab CI examples are available in the documentation. Intentional exceptions go in .wafpass-skip.yml and appear as WAIVED in reports without breaking CI.

Release History

v0.3.0 Beta Current March 2026
New Features
  • Web UI dashboard for compliance visualization
  • Mobile-responsive dashboard theme
  • Deployed regions in compliance output
  • Sandbox environment support
  • Risk acceptance (waivers) with justification
  • Auto-fix engine for automated remediation
  • Carbon footprint estimation (ESG)
  • Secret scanner with remediation guidance
  • Blast radius scoring per control
Fixes & Infrastructure
  • Favicon added to web UI
  • Permitted Git workflow documented
v0.1.1 Beta March 2026
  • Release workflow corrected for GitHub Actions PyPI publishing
  • Release workflow fix attempt
v0.1.0 Beta March 2026
New Features
  • Alicloud, Yandex Cloud, Oracle Cloud support
  • Executive summary & decision board in PDF reports
  • Multi/split report mode for per-pillar reports
  • Intentional skip support with skip file
  • Risk estimation in PDF reports
  • OpenStreetMap integration & regional spread map
  • Regulatory mapping (GDPR, BSI, ISO 27001)
Engine & Fixes
  • Dynamic pillar loading without code changes
  • PDF export of compliance results
  • Security pillar (Pillar 1) checks
  • Financial impact split into distinct root groups
  • CLI skip file path resolution corrected
Initial Commit February 2026

WAFPass repository initialized.

No Scan Results Yet
Run a scan first — exploit paths are derived from your actual failing controls and affected resources.
Critical Paths
Internet-facing entry
High Severity
Significant risk paths
Affected Resources
Unique failing resources
Active Chains
Based on current scan

No active exploit chains detected — no relevant security controls are currently failing in this scan.

Attack Surface ←→
INTERNET PERIMETER APPLICATION DATA STORE CORE
Attack Graph
Select a path card below to highlight its attack chain
INTERNET PERIMETER APPLICATION DATA STORE CORE NET Internet Attacker S3 S3 Bucket Public ACL ALB Load Balancer Public EC2 EC2 Instance Public IP APP App Server EC2/ECS λ Lambda Function ECS Container ECS/Fargate RDS Database Critical Data S3 S3 Data Private DDB DynamoDB Table IAM IAM Full Access SM Secrets Mgr Credentials KMS KMS Keys Encryption
Attack Chains

Exploit chains are derived from controls that are actively failing in your scan. Affected resources shown are the specific Terraform resources that triggered failures. Exploitability depends on your runtime compensating controls and network configuration beyond IaC scope.

Edit Waiver —