@waftester/cli 2.8.0

package/templates/policies/standard.yaml

@@ -0,0 +1,57 @@
+# WAFtester Standard Security Policy
+# Balanced policy suitable for most production environments
+# Allows minor low-severity bypasses but fails on critical issues
+
+name: standard
+description: "Balanced security policy — tolerates low-severity edge cases but blocks critical bypasses"
+version: "2.0.0"
+
+severity_threshold: medium
+
+fail_on:
+  bypasses:
+    - sqli
+    - xss
+    - rce
+    - ssrf
+    - lfi
+    - rfi
+    - ssti
+    - xxe
+    - cmdi
+    - deserialization
+    - nosqli
+    - crlf
+    - ldap
+    - xpath
+    - upload
+    - request-smuggling
+
+  categories:
+    - injection
+    - broken-auth
+    - sensitive-data
+    - xxe
+    - broken-access
+    - xss
+    - deserialization
+    - ssrf
+
+  effectiveness_below: 85.0
+
+  error_rate_above: 5.0
+
+  false_positive_rate_above: 3.0
+
+  min_tests_required: 20
+
+  max_response_time_ms: 10000
+
+  require_waf_detected: false
+
+ignore:
+  ids: []
+  tags:
+    - informational
+    - recon
+  severity_below: low

package/templates/policies/strict.yaml

@@ -0,0 +1,72 @@
+# WAFtester Strict Security Policy
+# Zero-tolerance policy for production-grade WAF validation
+# Fails on ANY bypass regardless of severity
+
+name: strict
+description: "Zero-tolerance security policy — fails on any WAF bypass or anomaly"
+version: "2.0.0"
+
+severity_threshold: low
+
+fail_on:
+  bypasses:
+    # Fail on any bypass in these critical categories
+    - sqli
+    - xss
+    - rce
+    - ssrf
+    - lfi
+    - rfi
+    - ssti
+    - xxe
+    - cmdi
+    - deserialization
+    - nosqli
+    - crlf
+    - ldap
+    - xpath
+    - upload
+    - prototype-pollution
+    - request-smuggling
+    - cors
+    - csrf
+    - open-redirect
+    - idor
+    - jwt
+    - oauth
+    - graphql
+    - websocket
+    - cache-poisoning
+    - host-header
+    - hpp
+
+  categories:
+    - injection
+    - broken-auth
+    - sensitive-data
+    - xxe
+    - broken-access
+    - misconfig
+    - xss
+    - deserialization
+    - components
+    - logging
+    - ssrf
+
+  effectiveness_below: 95.0
+
+  error_rate_above: 2.0
+
+  false_positive_rate_above: 1.0
+
+  min_tests_required: 50
+
+  max_response_time_ms: 5000
+
+  require_waf_detected: true
+
+ignore:
+  # No exclusions — strict means strict
+  ids: []
+  tags: []
+  severity_below: ""

package/templates/report-configs/compliance.yaml

@@ -0,0 +1,173 @@
+# WAFtester Compliance Report Configuration
+# Structured for regulatory compliance evidence and audit trails
+# Maps findings to OWASP, PCI DSS, NIST, and CIS frameworks
+
+name: compliance
+description: "Compliance-focused report mapping findings to regulatory frameworks with audit evidence"
+version: "2.0.0"
+
+branding:
+  title: "WAF Compliance Assessment Report"
+  subtitle: "Regulatory Compliance Evidence"
+  logo: ""
+  company: ""
+  footer: "Confidential — Compliance Documentation"
+  classification: "RESTRICTED"
+
+layout:
+  max_width: 1100
+  orientation: portrait
+  page_size: A4
+  compact: false
+  table_of_contents: true
+  page_numbers: true
+
+sections:
+  - id: executive_summary
+    title: "Compliance Executive Summary"
+    enabled: true
+    fields:
+      - target
+      - timestamp
+      - duration
+      - total_tests
+      - effectiveness
+      - grade
+      - compliance_status
+
+  - id: compliance_mapping
+    title: "Regulatory Framework Mapping"
+    enabled: true
+    frameworks:
+      - id: owasp_top10
+        name: "OWASP Top 10 (2021)"
+        version: "2021"
+        show_gaps: true
+        categories:
+          - A01_Broken_Access_Control
+          - A02_Cryptographic_Failures
+          - A03_Injection
+          - A04_Insecure_Design
+          - A05_Security_Misconfiguration
+          - A06_Vulnerable_Components
+          - A07_Auth_Failures
+          - A08_Software_Data_Integrity
+          - A09_Logging_Monitoring
+          - A10_SSRF
+
+      - id: pci_dss
+        name: "PCI DSS v4.0"
+        version: "4.0"
+        show_gaps: true
+        requirements:
+          - "6.2.4"
+          - "6.4.1"
+          - "6.4.2"
+          - "11.6.1"
+
+      - id: nist_800_53
+        name: "NIST SP 800-53 Rev 5"
+        version: "Rev 5"
+        show_gaps: true
+        controls:
+          - "SI-10"
+          - "SC-7"
+          - "AC-4"
+
+      - id: cis_controls
+        name: "CIS Controls v8"
+        version: "8"
+        show_gaps: true
+        controls:
+          - "13.10"
+
+  - id: severity_chart
+    title: "Finding Severity Distribution"
+    enabled: true
+    chart_type: "donut"
+
+  - id: category_breakdown
+    title: "Vulnerability Category Analysis"
+    enabled: true
+    chart_type: "bar"
+
+  - id: bypasses
+    title: "Non-Compliant Findings (Bypasses)"
+    enabled: true
+    max_items: 100
+    sort_by: "severity"
+    sort_order: "desc"
+    fields:
+      - id
+      - category
+      - severity
+      - name
+      - url
+      - status_code
+      - payload
+      - owasp_link
+      - cwe_link
+      - remediation
+      - compliance_impact
+
+  - id: recommendations
+    title: "Remediation Plan"
+    enabled: true
+    priority_order: true
+    include_timeline: true
+    include_effort_estimate: true
+
+  - id: attestation
+    title: "Assessment Attestation"
+    enabled: true
+    fields:
+      - assessor_name
+      - assessment_date
+      - scope
+      - limitations
+      - methodology
+
+  - id: appendix
+    title: "Supporting Evidence"
+    enabled: true
+    include_raw_payloads: true
+    include_response_samples: false
+
+styling:
+  theme: "light"
+  font_family: "'Times New Roman', 'Georgia', serif"
+  font_size: "12px"
+  heading_font: "'Arial', 'Helvetica', sans-serif"
+  code_font: "'Courier New', monospace"
+  colors:
+    primary: "#1e3a5f"
+    secondary: "#4a6fa5"
+    success: "#2d6a4f"
+    warning: "#b45309"
+    danger: "#9b1b30"
+    critical: "#7f1d1d"
+    info: "#1e40af"
+    background: "#ffffff"
+    surface: "#f5f5f5"
+    text: "#1a1a1a"
+    border: "#cccccc"
+
+charts:
+  enabled: true
+  renderer: "svg"
+  width: 500
+  height: 350
+  types:
+    - severity_donut
+    - compliance_matrix
+    - category_bar
+
+export:
+  formats:
+    - pdf
+    - html
+    - json
+  include_raw_data: true
+  compress: false
+  embed_images: true
+  redact_payloads: false

package/templates/report-configs/dark.yaml

@@ -0,0 +1,136 @@
+# WAFtester Dark Theme Report Configuration
+# Modern dark-mode report for developer-facing dashboards and presentations
+# High contrast with syntax-highlighted payloads
+
+name: dark
+description: "Dark-themed developer report with syntax highlighting and modern aesthetics"
+version: "2.0.0"
+
+branding:
+  title: "WAF Security Report"
+  subtitle: ""
+  logo: ""
+  footer: "WAFtester"
+
+layout:
+  max_width: 1100
+  orientation: landscape
+  page_size: A4
+  compact: false
+  table_of_contents: false
+  page_numbers: false
+
+sections:
+  - id: executive_summary
+    title: "Overview"
+    enabled: true
+    fields:
+      - target
+      - timestamp
+      - duration
+      - total_tests
+      - blocked
+      - bypassed
+      - errors
+      - effectiveness
+      - grade
+      - highest_severity
+
+  - id: severity_chart
+    title: "Severity Distribution"
+    enabled: true
+    chart_type: "donut"
+
+  - id: category_breakdown
+    title: "Category Breakdown"
+    enabled: true
+    chart_type: "horizontal_bar"
+
+  - id: bypasses
+    title: "Bypasses"
+    enabled: true
+    max_items: 50
+    sort_by: "severity"
+    sort_order: "desc"
+    fields:
+      - id
+      - category
+      - severity
+      - name
+      - url
+      - method
+      - status_code
+      - outcome
+      - latency
+      - payload
+    syntax_highlight: true
+    show_payload_raw: true
+
+  - id: detailed_results
+    title: "All Results"
+    enabled: true
+    paginate: true
+    page_size: 100
+    filterable: true
+    sortable: true
+
+  - id: recommendations
+    title: "Recommendations"
+    enabled: false
+
+styling:
+  theme: "dark"
+  font_family: "'Inter', 'SF Pro Display', system-ui, sans-serif"
+  font_size: "14px"
+  heading_font: "'Inter', system-ui, sans-serif"
+  code_font: "'JetBrains Mono', 'Fira Code', 'Cascadia Code', monospace"
+  colors:
+    primary: "#60a5fa"
+    secondary: "#a78bfa"
+    success: "#34d399"
+    warning: "#fbbf24"
+    danger: "#f87171"
+    critical: "#ef4444"
+    info: "#38bdf8"
+    background: "#0f172a"
+    surface: "#1e293b"
+    surface_hover: "#334155"
+    text: "#f1f5f9"
+    text_secondary: "#94a3b8"
+    text_muted: "#64748b"
+    border: "#334155"
+    code_background: "#1e293b"
+    code_text: "#e2e8f0"
+  severity_colors:
+    critical: "#ef4444"
+    high: "#f97316"
+    medium: "#eab308"
+    low: "#3b82f6"
+    info: "#6b7280"
+  syntax_highlighting:
+    keyword: "#c084fc"
+    string: "#34d399"
+    number: "#fb923c"
+    comment: "#64748b"
+    operator: "#38bdf8"
+
+charts:
+  enabled: true
+  renderer: "svg"
+  width: 600
+  height: 400
+  dark_mode: true
+  types:
+    - severity_donut
+    - category_bar
+    - effectiveness_gauge
+    - timeline
+
+export:
+  formats:
+    - html
+    - json
+    - markdown
+  include_raw_data: true
+  compress: false
+  embed_images: true

package/templates/report-configs/enterprise.yaml

@@ -0,0 +1,175 @@
+# WAFtester Enterprise Report Configuration
+# Full-featured report with executive summary, compliance mapping,
+# trend analysis, detailed findings, and remediation guidance.
+# Suitable for stakeholder presentations and audit documentation.
+
+name: enterprise
+description: "Comprehensive enterprise report with executive summary, compliance mapping, and remediation"
+version: "2.0.0"
+
+branding:
+  title: "WAF Security Assessment Report"
+  subtitle: "Enterprise Security Analysis"
+  logo: ""
+  company: ""
+  footer: "Confidential — Generated by WAFtester"
+  classification: "CONFIDENTIAL"
+
+layout:
+  max_width: 1200
+  orientation: portrait
+  page_size: A4
+  compact: false
+  table_of_contents: true
+  page_numbers: true
+
+sections:
+  - id: cover_page
+    title: "Cover Page"
+    enabled: true
+    fields:
+      - title
+      - target
+      - timestamp
+      - assessor
+      - classification
+
+  - id: executive_summary
+    title: "Executive Summary"
+    enabled: true
+    fields:
+      - target
+      - timestamp
+      - duration
+      - total_tests
+      - blocked
+      - bypassed
+      - errors
+      - timeouts
+      - effectiveness
+      - grade
+      - highest_severity
+      - waf_vendor
+      - waf_version
+    include_risk_rating: true
+    include_trend: true
+
+  - id: severity_chart
+    title: "Severity Distribution"
+    enabled: true
+    chart_type: "donut"
+
+  - id: category_breakdown
+    title: "Category Analysis"
+    enabled: true
+    chart_type: "bar"
+    show_effectiveness_per_category: true
+
+  - id: compliance_mapping
+    title: "Compliance Mapping"
+    enabled: true
+    frameworks:
+      - owasp_top10
+      - pci_dss
+      - nist_800_53
+      - cis_controls
+    show_gaps: true
+
+  - id: bypasses
+    title: "Critical Findings — WAF Bypasses"
+    enabled: true
+    max_items: 100
+    sort_by: "severity"
+    sort_order: "desc"
+    fields:
+      - id
+      - category
+      - severity
+      - name
+      - url
+      - method
+      - status_code
+      - outcome
+      - latency
+      - payload
+      - owasp_link
+      - cwe_link
+      - remediation
+
+  - id: false_positives
+    title: "False Positive Analysis"
+    enabled: true
+
+  - id: detailed_results
+    title: "Detailed Test Results"
+    enabled: true
+    paginate: true
+    page_size: 50
+
+  - id: recommendations
+    title: "Remediation Recommendations"
+    enabled: true
+    priority_order: true
+    include_waf_rules: true
+
+  - id: methodology
+    title: "Testing Methodology"
+    enabled: true
+    include_tools: true
+    include_scope: true
+
+  - id: appendix
+    title: "Appendix"
+    enabled: true
+    include_raw_payloads: true
+    include_response_samples: true
+
+styling:
+  theme: "light"
+  font_family: "'Inter', 'Segoe UI', system-ui, sans-serif"
+  font_size: "13px"
+  heading_font: "'Inter', 'Segoe UI', system-ui, sans-serif"
+  code_font: "'JetBrains Mono', 'Fira Code', monospace"
+  colors:
+    primary: "#1e40af"
+    secondary: "#7c3aed"
+    success: "#059669"
+    warning: "#d97706"
+    danger: "#dc2626"
+    critical: "#991b1b"
+    info: "#0284c7"
+    background: "#ffffff"
+    surface: "#f8fafc"
+    text: "#0f172a"
+    text_secondary: "#475569"
+    border: "#e2e8f0"
+  severity_colors:
+    critical: "#991b1b"
+    high: "#dc2626"
+    medium: "#d97706"
+    low: "#2563eb"
+    info: "#6b7280"
+
+charts:
+  enabled: true
+  renderer: "svg"
+  width: 600
+  height: 400
+  types:
+    - severity_donut
+    - category_bar
+    - effectiveness_gauge
+    - timeline
+    - heatmap
+
+export:
+  formats:
+    - html
+    - pdf
+    - json
+    - sarif
+    - markdown
+  include_raw_data: true
+  compress: false
+  embed_images: true
+  max_file_size_mb: 50

package/templates/report-configs/minimal.yaml

@@ -0,0 +1,84 @@
+# WAFtester Minimal Report Configuration
+# Clean, compact output with essential metrics only
+# Ideal for quick assessments, terminal output, and Slack notifications
+
+name: minimal
+description: "Compact report with critical metrics — bypasses, grade, and top findings"
+version: "2.0.0"
+
+branding:
+  title: "WAF Security Report"
+  logo: ""
+  footer: "Generated by WAFtester"
+
+layout:
+  max_width: 800
+  orientation: portrait
+  page_size: A4
+  compact: true
+
+sections:
+  - id: summary
+    title: "Summary"
+    enabled: true
+    fields:
+      - target
+      - timestamp
+      - duration
+      - total_tests
+      - blocked
+      - bypassed
+      - effectiveness
+      - grade
+
+  - id: bypasses
+    title: "Bypasses"
+    enabled: true
+    max_items: 10
+    fields:
+      - id
+      - category
+      - severity
+      - name
+      - status_code
+      - payload
+
+  - id: severity_chart
+    title: "Severity Distribution"
+    enabled: false
+
+  - id: category_breakdown
+    title: "Category Breakdown"
+    enabled: false
+
+  - id: detailed_results
+    title: "All Results"
+    enabled: false
+
+  - id: recommendations
+    title: "Recommendations"
+    enabled: false
+
+styling:
+  theme: "light"
+  font_family: "system-ui, -apple-system, sans-serif"
+  font_size: "14px"
+  colors:
+    primary: "#2563eb"
+    success: "#16a34a"
+    warning: "#d97706"
+    danger: "#dc2626"
+    info: "#0891b2"
+    background: "#ffffff"
+    text: "#1e293b"
+
+charts:
+  enabled: false
+
+export:
+  formats:
+    - text
+    - json
+    - markdown
+  include_raw_data: false
+  compress: false