@waftester/cli 2.8.0

package/templates/report-configs/print.yaml

@@ -0,0 +1,139 @@
+# WAFtester Print-Optimized Report Configuration
+# Designed for physical printing and PDF export
+# Clean black-and-white with high readability
+
+name: print
+description: "Print-optimized report with clean layout for PDF export and physical printing"
+version: "2.0.0"
+
+branding:
+  title: "WAF Security Assessment Report"
+  subtitle: ""
+  logo: ""
+  company: ""
+  footer: "Generated by WAFtester"
+
+layout:
+  max_width: 900
+  orientation: portrait
+  page_size: A4
+  compact: false
+  table_of_contents: true
+  page_numbers: true
+  page_breaks_between_sections: true
+
+sections:
+  - id: cover_page
+    title: "Cover"
+    enabled: true
+    fields:
+      - title
+      - target
+      - timestamp
+      - company
+
+  - id: executive_summary
+    title: "Executive Summary"
+    enabled: true
+    fields:
+      - target
+      - timestamp
+      - duration
+      - total_tests
+      - blocked
+      - bypassed
+      - errors
+      - effectiveness
+      - grade
+      - highest_severity
+
+  - id: severity_chart
+    title: "Severity Distribution"
+    enabled: true
+    chart_type: "bar"
+
+  - id: category_breakdown
+    title: "Category Results"
+    enabled: true
+    chart_type: "table"
+
+  - id: bypasses
+    title: "WAF Bypass Findings"
+    enabled: true
+    max_items: 50
+    sort_by: "severity"
+    sort_order: "desc"
+    fields:
+      - id
+      - category
+      - severity
+      - name
+      - url
+      - method
+      - status_code
+      - outcome
+      - payload
+      - owasp_link
+      - cwe_link
+
+  - id: recommendations
+    title: "Remediation Recommendations"
+    enabled: true
+    priority_order: true
+
+  - id: detailed_results
+    title: "Complete Test Results"
+    enabled: true
+    paginate: true
+    page_size: 40
+
+  - id: appendix
+    title: "Appendix"
+    enabled: true
+    include_raw_payloads: false
+    include_methodology: true
+
+styling:
+  theme: "print"
+  font_family: "'Georgia', 'Times New Roman', serif"
+  font_size: "11pt"
+  heading_font: "'Arial', 'Helvetica', sans-serif"
+  code_font: "'Courier New', 'Courier', monospace"
+  line_height: "1.6"
+  colors:
+    primary: "#000000"
+    secondary: "#333333"
+    success: "#000000"
+    warning: "#000000"
+    danger: "#000000"
+    background: "#ffffff"
+    text: "#000000"
+    border: "#666666"
+    header_bg: "#f0f0f0"
+    alt_row: "#f9f9f9"
+  severity_markers:
+    critical: "[!!!]"
+    high: "[!!]"
+    medium: "[!]"
+    low: "[.]"
+    info: "[-]"
+
+charts:
+  enabled: true
+  renderer: "svg"
+  width: 450
+  height: 300
+  grayscale: true
+  types:
+    - severity_bar
+    - category_table
+
+export:
+  formats:
+    - pdf
+    - html
+  include_raw_data: false
+  compress: false
+  embed_images: true
+  grayscale_images: true
+  max_file_size_mb: 20

package/templates/workflows/api-scan.yaml

@@ -0,0 +1,132 @@
+# WAFtester API Security Scan Workflow
+# Comprehensive API security testing with OpenAPI/Swagger support
+#
+# Usage:
+#   waf-tester workflow run templates/workflows/api-scan.yaml \
+#     --input target=https://api.example.com \
+#     --input openapi_spec=./openapi.yaml \
+#     --input auth_header="Bearer eyJ..."
+
+name: api-scan
+description: "API-focused security assessment with OpenAPI schema discovery and auth-aware scanning"
+version: "2.0.0"
+tags:
+  - api
+  - openapi
+  - swagger
+  - rest
+  - security
+
+inputs:
+  - name: target
+    description: API base URL
+    required: true
+  - name: openapi_spec
+    description: Path to OpenAPI/Swagger specification
+    required: false
+  - name: auth_header
+    description: Authorization header value (e.g., Bearer token)
+    required: false
+  - name: output_dir
+    description: Output directory
+    default: "./results"
+  - name: rate_limit
+    description: Requests per second limit
+    default: "20"
+  - name: concurrency
+    description: Number of concurrent workers
+    default: "10"
+  - name: scan_types
+    description: Security categories to test
+    default: "sqli,nosqli,xss,ssrf,idor,massassignment,bola,bfla"
+
+steps:
+  - id: detect
+    name: Detect WAF on API endpoint
+    command: wafdetect
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/api-waf-detection.json"
+      - "--json"
+
+  - id: fingerprint
+    name: Fingerprint WAF and API gateway
+    command: waffprint
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/api-fingerprint.json"
+      - "--json"
+
+  - id: discover
+    name: Discover API endpoints
+    command: discover
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "--openapi"
+      - "{{.openapi_spec}}"
+      - "-o"
+      - "{{.output_dir}}/api-endpoints.json"
+
+  - id: calibrate
+    name: Calibrate scanner to API responses
+    command: calibrate
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/api-calibration.json"
+    condition: "steps.detect.success"
+
+  - id: scan
+    name: Run API security tests
+    command: run
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-s"
+      - "{{.scan_types}}"
+      - "-c"
+      - "{{.concurrency}}"
+      - "--rate-limit"
+      - "{{.rate_limit}}"
+      - "--header"
+      - "Authorization: {{.auth_header}}"
+      - "--header"
+      - "Content-Type: application/json"
+      - "--overrides"
+      - "templates/overrides/api-only.yaml"
+      - "-o"
+      - "json"
+      - "--output-file"
+      - "{{.output_dir}}/api-results.json"
+    condition: "steps.detect.success"
+
+  - id: report_json
+    name: Generate JSON report
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/api-results.json"
+      - "-o"
+      - "{{.output_dir}}/api-report.json"
+      - "-f"
+      - "json"
+
+  - id: report_html
+    name: Generate HTML report
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/api-results.json"
+      - "-o"
+      - "{{.output_dir}}/api-report.html"
+      - "-f"
+      - "html"
+      - "--template-config"
+      - "templates/report-configs/enterprise.yaml"
+    condition: "steps.scan.success"

package/templates/workflows/ci-gate.yaml

@@ -0,0 +1,129 @@
+# WAFtester CI/CD Gate Workflow
+# Automated security gate for CI/CD pipelines with pass/fail verdict
+# Outputs SARIF for GitHub Advanced Security and JUnit for CI integration
+#
+# Usage:
+#   waf-tester workflow run templates/workflows/ci-gate.yaml \
+#     --input target=https://staging.example.com \
+#     --input policy=templates/policies/strict.yaml
+
+name: ci-gate
+description: "CI/CD security gate with dual SARIF+JUnit output, policy enforcement, and pass/fail exit code"
+version: "2.0.0"
+tags:
+  - ci
+  - cd
+  - pipeline
+  - gate
+  - automation
+  - sarif
+  - junit
+
+inputs:
+  - name: target
+    description: Target URL to test (typically a staging environment)
+    required: true
+  - name: policy
+    description: Security policy to enforce
+    default: "templates/policies/standard.yaml"
+  - name: output_dir
+    description: Output directory for reports
+    default: "./security-results"
+  - name: output_format
+    description: Primary output format (sarif, junit, json)
+    default: "sarif"
+  - name: concurrency
+    description: Number of concurrent workers
+    default: "20"
+  - name: rate_limit
+    description: Requests per second limit
+    default: "50"
+  - name: scan_types
+    description: Security scan categories
+    default: "sqli,xss,rce,ssrf,lfi,ssti"
+  - name: fail_on_bypass
+    description: Fail pipeline on any bypass found
+    default: "true"
+  - name: severity_threshold
+    description: Minimum severity to trigger failure (critical, high, medium, low)
+    default: "high"
+
+steps:
+  - id: detect
+    name: Detect WAF presence
+    command: wafdetect
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-detection.json"
+      - "--json"
+
+  - id: calibrate
+    name: Calibrate scanner
+    command: calibrate
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/calibration.json"
+    condition: "steps.detect.success"
+
+  - id: scan
+    name: Run security scan
+    command: run
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-s"
+      - "{{.scan_types}}"
+      - "-c"
+      - "{{.concurrency}}"
+      - "--rate-limit"
+      - "{{.rate_limit}}"
+      - "--policy"
+      - "{{.policy}}"
+      - "--severity"
+      - "{{.severity_threshold}}"
+      - "-o"
+      - "json"
+      - "--output-file"
+      - "{{.output_dir}}/scan-results.json"
+    condition: "steps.detect.success"
+
+  - id: report_sarif
+    name: Generate SARIF report for GitHub Advanced Security
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "-o"
+      - "{{.output_dir}}/results.sarif"
+      - "-f"
+      - "sarif"
+
+  - id: report_junit
+    name: Generate JUnit report for CI dashboard
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "-o"
+      - "{{.output_dir}}/results.xml"
+      - "-f"
+      - "junit"
+
+  - id: gate
+    name: Evaluate security policy pass/fail
+    command: evaluate
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "--policy"
+      - "{{.policy}}"
+      - "--fail-on-bypass"
+      - "{{.fail_on_bypass}}"
+      - "--severity"
+      - "{{.severity_threshold}}"
+      - "--exit-code"
+    condition: "steps.scan.success"

package/templates/workflows/full-scan.yaml

@@ -0,0 +1,133 @@
+# WAFtester Full Security Scan Workflow
+# Complete security assessment: detect > learn > calibrate > scan > report
+#
+# Usage:
+#   waf-tester workflow run templates/workflows/full-scan.yaml --input target=https://example.com
+
+name: full-scan
+description: "Complete security scan: discover > learn > calibrate > scan > report"
+version: "2.0.0"
+tags:
+  - security
+  - complete
+  - production
+  - enterprise
+
+inputs:
+  - name: target
+    description: Target URL to scan
+    required: true
+  - name: output_dir
+    description: Output directory for results
+    default: "./results"
+  - name: concurrency
+    description: Number of concurrent requests
+    default: "50"
+  - name: rate_limit
+    description: Requests per second limit
+    default: "10"
+  - name: policy
+    description: Policy file for pass/fail evaluation
+    default: "templates/policies/standard.yaml"
+  - name: scan_types
+    description: "Comma-separated scan types (sqli,xss,rce,ssrf,lfi,ssti,xxe,cmdi,nosqli,crlf or all)"
+    default: "all"
+
+steps:
+  - id: detect
+    name: Detect WAF presence and vendor
+    command: wafdetect
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-detection.json"
+      - "--json"
+
+  - id: fingerprint
+    name: Fingerprint WAF technology stack
+    command: waffprint
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-fingerprint.json"
+      - "--json"
+
+  - id: learn
+    name: Learn WAF behavior patterns
+    command: learn
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-profile.json"
+    condition: "steps.detect.success"
+
+  - id: calibrate
+    name: Calibrate scan for WAF thresholds
+    command: calibrate
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "--profile"
+      - "{{.output_dir}}/waf-profile.json"
+    condition: "steps.learn.success"
+
+  - id: scan
+    name: Run full security scan
+    command: run
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-s"
+      - "{{.scan_types}}"
+      - "-c"
+      - "{{.concurrency}}"
+      - "--rate-limit"
+      - "{{.rate_limit}}"
+      - "-o"
+      - "json"
+      - "--output-file"
+      - "{{.output_dir}}/scan-results.json"
+      - "--policy"
+      - "{{.policy}}"
+    condition: "steps.detect.success"
+
+  - id: report_html
+    name: Generate HTML enterprise report
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "-o"
+      - "{{.output_dir}}/report.html"
+      - "-f"
+      - "html"
+      - "--template-config"
+      - "templates/report-configs/enterprise.yaml"
+    condition: "steps.scan.success"
+
+  - id: report_sarif
+    name: Generate SARIF report for IDE integration
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "-o"
+      - "{{.output_dir}}/report.sarif"
+      - "-f"
+      - "sarif"
+    condition: "steps.scan.success"
+
+  - id: report_json
+    name: Generate JSON summary report
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/scan-results.json"
+      - "-o"
+      - "{{.output_dir}}/summary.json"
+      - "-f"
+      - "json"
+    condition: "steps.scan.success"

package/templates/workflows/quick-probe.yaml

@@ -0,0 +1,80 @@
+# WAFtester Quick Probe Workflow
+# Fast target enumeration and WAF detection with minimal footprint
+#
+# Usage:
+#   waf-tester workflow run templates/workflows/quick-probe.yaml --input target=https://example.com
+
+name: quick-probe
+description: "Quick WAF detection, fingerprinting, and critical-only vulnerability probe"
+version: "2.0.0"
+tags:
+  - probe
+  - quick
+  - assessment
+  - recon
+
+inputs:
+  - name: target
+    description: Target URL to probe
+    required: true
+  - name: output_dir
+    description: Output directory
+    default: "./results"
+  - name: rate_limit
+    description: Requests per second limit (low for stealth)
+    default: "5"
+
+steps:
+  - id: detect
+    name: Detect WAF presence
+    command: wafdetect
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-detection.json"
+      - "--json"
+
+  - id: fingerprint
+    name: Fingerprint WAF technology
+    command: waffprint
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-fingerprint.json"
+      - "--json"
+
+  - id: quick_scan
+    name: Run quick scan (critical + high only)
+    command: run
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-s"
+      - "sqli,xss,rce,ssrf"
+      - "-c"
+      - "10"
+      - "--rate-limit"
+      - "{{.rate_limit}}"
+      - "--severity"
+      - "critical,high"
+      - "-o"
+      - "json"
+      - "--output-file"
+      - "{{.output_dir}}/quick-results.json"
+    condition: "steps.detect.success"
+
+  - id: report
+    name: Generate quick summary
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/quick-results.json"
+      - "-o"
+      - "{{.output_dir}}/quick-report.html"
+      - "-f"
+      - "html"
+      - "--template-config"
+      - "templates/report-configs/minimal.yaml"
+    condition: "steps.quick_scan.success"

package/templates/workflows/waf-detection.yaml

@@ -0,0 +1,89 @@
+# WAFtester WAF Detection Workflow
+# Comprehensive WAF identification, fingerprinting, and behavior profiling
+#
+# Usage:
+#   waf-tester workflow run templates/workflows/waf-detection.yaml --input target=https://example.com
+
+name: waf-detection
+description: "Detect, fingerprint, and profile WAF technology stack"
+version: "2.0.0"
+tags:
+  - waf
+  - detection
+  - fingerprint
+  - recon
+  - profiling
+
+inputs:
+  - name: target
+    description: Target URL
+    required: true
+  - name: output_dir
+    description: Output directory
+    default: "./results"
+  - name: rate_limit
+    description: Requests per second limit
+    default: "3"
+
+steps:
+  - id: detect
+    name: Detect WAF presence
+    command: wafdetect
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-detection.json"
+      - "--json"
+
+  - id: fingerprint
+    name: Fingerprint WAF vendor and version
+    command: waffprint
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-fingerprint.json"
+      - "--json"
+
+  - id: probe_behavior
+    name: Probe WAF blocking behavior with common attacks
+    command: run
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-s"
+      - "sqli,xss,rce,lfi"
+      - "-c"
+      - "5"
+      - "--rate-limit"
+      - "{{.rate_limit}}"
+      - "-o"
+      - "json"
+      - "--output-file"
+      - "{{.output_dir}}/probe-results.json"
+    condition: "steps.detect.success"
+
+  - id: learn
+    name: Learn WAF response patterns
+    command: learn
+    args:
+      - "-u"
+      - "{{.target}}"
+      - "-o"
+      - "{{.output_dir}}/waf-profile.json"
+    condition: "steps.detect.success"
+
+  - id: report
+    name: Generate WAF detection report
+    command: report
+    args:
+      - "-i"
+      - "{{.output_dir}}/probe-results.json"
+      - "-o"
+      - "{{.output_dir}}/waf-report.html"
+      - "-f"
+      - "html"
+      - "--template-config"
+      - "templates/report-configs/minimal.yaml"
+    condition: "steps.probe_behavior.success"