vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
37a867c485b26e863afdaf8dbe514dc99563add2
vm-cloudflare/mcp/waf_intelligence/generator.py
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

121 lines
3.6 KiB
Python
Raw Blame History

from __future__ import annotations
from dataclasses import dataclass, field
from typing import Dict, List, Optional
@dataclass
class GeneratedRule:
"""Represents a Terraform WAF rule we propose to add."""
name: str
description: str
terraform_snippet: str
severity: str # "low" | "medium" | "high" | "critical"
tags: List[str] = field(default_factory=list)
notes: Optional[str] = None
impact_score: float = 0.5 # 0-1: estimated security impact
effort_score: float = 0.5 # 0-1: estimated effort to implement
class WAFRuleGenerator:
"""
Generate Cloudflare WAF Terraform rules with a quality-first strategy.
"""
def generate_from_scenario(
self,
scenario: str,
*,
limit: int = 3,
max_effort: float = 0.8,
) -> List[GeneratedRule]:
"""
Return a small set of high-impact, reasonable-effort rules.
"""
scenario_lower = scenario.lower()
candidates: List[GeneratedRule] = []
if "sql injection" in scenario_lower or "sqli" in scenario_lower:
candidates.append(self._sql_injection_rule())
if "xss" in scenario_lower:
candidates.append(self._xss_rule())
# If nothing matched, fallback to baseline
if not candidates:
candidates.append(self._baseline_waf_rule())
# Filter by effort & sort by impact
filtered = [r for r in candidates if r.effort_score <= max_effort]
if not filtered:
filtered = candidates
filtered.sort(key=lambda r: (-r.impact_score, r.effort_score))
return filtered[:limit]
def _sql_injection_rule(self) -> GeneratedRule:
snippet = '''resource "cloudflare_ruleset" "waf_sqli_protection" {
# TODO: adjust zone_id / account_id and phase for your setup
name = "WAF - SQLi protection"
kind = "zone"
phase = "http_request_firewall_managed"
rules = [{
action = "block"
expression = "(cf.waf.ruleset eq \\"sqli\\")"
enabled = true
}]
}
'''
return GeneratedRule(
name="waf_sqli_protection",
description="Enable blocking against SQL injection attempts using Cloudflare managed rules.",
terraform_snippet=snippet,
severity="high",
tags=["sqli", "managed_rules", "waf"],
impact_score=0.95,
effort_score=0.3,
)
def _xss_rule(self) -> GeneratedRule:
snippet = '''resource "cloudflare_ruleset" "waf_xss_protection" {
name = "WAF - XSS protection"
kind = "zone"
phase = "http_request_firewall_managed"
rules = [{
action = "block"
expression = "(cf.waf.ruleset eq \\"xss\\")"
enabled = true
}]
}
'''
return GeneratedRule(
name="waf_xss_protection",
description="Enable blocking against cross-site scripting (XSS) attacks.",
terraform_snippet=snippet,
severity="high",
tags=["xss", "managed_rules", "waf"],
impact_score=0.9,
effort_score=0.3,
)
def _baseline_waf_rule(self) -> GeneratedRule:
snippet = '''# Baseline WAF hardening (placeholder - customize for your environment)
# Consider enabling Cloudflare managed WAF rulesets for:
# - SQLi
# - XSS
# - RCE
# - Bot protection
'''
return GeneratedRule(
name="waf_baseline_hardening",
description="Baseline recommendation to enable managed WAF rulesets.",
terraform_snippet=snippet,
severity="medium",
tags=["baseline", "waf"],
impact_score=0.7,
effort_score=0.1,
)
Reference in New Issue View Git Blame Copy Permalink