Skip to content
WAFtester
Use Case: CI/CD & DevSecOps

WAF Testing That Ships with Your Code

Catch WAF regressions on every push. SARIF for GitHub, SAST for GitLab, JUnit for Jenkins — native output for every pipeline.

WAF configurations drift over time. Rules get updated, new endpoints go live, vendors change policies. Without continuous testing, regressions go unnoticed until an attacker exploits them. WAFtester fits into any CI/CD pipeline — GitHub Actions, GitLab CI, Azure DevOps, Jenkins — and produces native output formats (SARIF, JUnit, GitLab SAST) so findings appear alongside your other security results. No custom parsers needed.

The Problem

🔄

WAF Rules Drift

WAF configurations change. New rules get added, existing ones get modified. Without continuous testing, regressions go unnoticed until an attacker finds them.

🚧

Security Is an Afterthought

WAF assessments happen quarterly at best. Between assessments, rule changes ship without verification. That gap is where bypasses live.

📊

No Visibility in Dashboards

Security teams track SAST and SCA findings in GitHub Security, SonarQube, or GitLab. WAF test results live in separate spreadsheets.

GitHub Actions

Use the official GitHub Action to run WAF tests on every push or PR. Results appear in GitHub's Security tab alongside your other findings.

.github/workflows/waf-test.yml 
name: WAF Security Test
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6am

jobs:
  waf-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run WAFtester
        uses: waftester/waftester-action@v1
        with:
          target: ${{ secrets.WAF_TARGET_URL }}
          mode: scan
          args: --smart -o results.sarif -o results.json

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Archive results
        uses: actions/upload-artifact@v4
        with:
          name: waf-results
          path: results.json

SARIF Upload

Results in GitHub Security tab

PR Annotations

Findings appear on pull requests

Scheduled Runs

Weekly regression checks

GitLab CI

WAFtester outputs GitLab SAST format. Results appear in the GitLab Security Dashboard and merge request widgets.

.gitlab-ci.yml 
waf-test:
  image: ghcr.io/waftester/waftester:latest
  stage: test
  script:
    - waf-tester scan -u $WAF_TARGET_URL --smart -o gl-sast.json
  artifacts:
    reports:
      sast: gl-sast.json
    paths:
      - gl-sast.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

Azure DevOps

Run WAFtester in Azure Pipelines with npx. Export results as build artifacts or create work items automatically.

azure-pipelines.yml 
- task: CmdLine@2
  displayName: WAF Security Test
  inputs:
    script: |
      npx -y @waftester/cli scan \
        -u $(WAF_TARGET_URL) \
        --smart \
        -o results.sarif \
        -o results.json

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: results.sarif
    artifactName: waf-results

Pipeline-Native Output

WAFtester speaks the language of your pipeline. No custom parsers or format converters needed.

Format Flag Consumed By
SARIF -o results.sarif GitHub Code Scanning, VS Code
GitLab SAST -o gl-sast.json GitLab Security Dashboard
SonarQube -o results.sonarqube.json SonarQube / SonarCloud
JUnit XML -o results.junit.xml Jenkins, CircleCI, any CI
JSON -o results.json Custom scripts, APIs
CycloneDX VEX -o results.cdx.json Supply chain security tools

Multiple outputs in a single run: -o report.html -o results.sarif -o data.json

Why DevSecOps Teams Choose WAFtester

Zero Dependencies

Single binary. No Python, no Java, no Ruby runtime. Install with npx, Homebrew, or download directly. Works in any container.

Streaming Output

Results stream to stdout in real-time. No waiting for the full scan to finish before seeing findings in your pipeline logs.

Exit Codes

Non-zero exit on findings. Gate deployments on WAF security — fail the build if critical bypasses are detected.

Docker Images

Multi-arch images on GHCR and Docker Hub. Use ghcr.io/waftester/waftester:latest in any containerized pipeline.

WAFtester can also generate pipeline configs for you: waf-tester cicd -p github-actions. See the CI/CD cheat sheet for more commands, the Compliance & Benchmarking guide for scoring thresholds, or the documentation for installation and troubleshooting.

Ready to Try It?

One command to install. One command to scan. Real results in seconds.

$ npm install -g @waftester/cli
Get Started View on GitHub