Batfish
Batfish Batfish is the open-source network config validator for CI/CD, parsing firewall rules from Cisco/Juniper/Palo Alto to detect shadowed ACLs, reachability gaps, and policy inconsistencies with Python APIs for Jenkins/GitHub Actions queries. Run via Docker or JVM in pipelines for diff-based audits, outputting JSON for dashboards. Open-source from batfish, it's the net navigator for ops templating rule-safe changes without downtime.
Explore →FirewallChecker
FirewallChecker FirewallChecker is the Z3-powered rule equivalence tester for CI, comparing IPv4 firewall configs for logical matches or diffs, outputting counterexample packets with rule traces in SARIF for GitLab merges. Deploy via .NET CLI in workflows to validate updates, suppressing ignores for clean scans. Open-source from Z3Prover, it's the logic litigator for devs templating bulletproof policy parity.
Explore →Snowdrift
Snowdrift Snowdrift is the unit-testing harness for firewall rules in CI, simulating TCP/UDP/DNS paths against iptables or vendor files to validate connectivity with SSH/netcat probes and range support in Azure DevOps. Install via brew for YAML tests, generating stats and traceroutes on fails. Open-source from Comcast, it's the path provoker for engineers templating empirical rule proofs in builds.
Explore →firewall_policy_analyzer
firewall_policy_analyzer firewall_policy_analyzer is the CSV-based anomaly detector for generic firewall rules in CI, flagging shadows, correlations, and redundancies via formal models with GUI exports for GitHub PR reviews. Parse protocols/IPs/ports in pipelines, select rules for deep dives. Open-source from martimy, it's the policy pathologist for teams templating conflict-free configs.
Explore →audit-springbok
audit-springbok audit-springbok is the multi-vendor ACL auditor for CI, parsing Cisco ASA/Juniper/Fortinet rules to CSV for internal/distributed anomaly hunts like overlaps and upstream shadows in Jenkins gates. Run CLI exports for tree-based path checks, enabling deep blame traces. Open-source from conix-security, it's the anomaly avenger for infra pros templating distributed firewall forensics.
Explore →360-FAAR
360-FAAR 360-FAAR is the offline Perl policy manipulator for CI, filtering/merging Checkpoint/Cisco/ScreenOS rules against logs with CIDR/text splits for rebuild outputs in dbedit/ACL commands via GitLab CI. Consistency checks on objects, extendable loops for custom flows. Open-source from Seabreg, it's the policy plumber for analysts templating log-aligned rule revamps.
Explore →firewalker
firewalker firewalker is the Jest-powered unit tester for Cloudflare WAF rules in CI, asserting request matches via wirefilter API for path regex and action validations in GitHub Actions. Construct JS payloads for complex scenarios, auto-fail on mismatches. Open-source from SerCeMan, it's the rule runner for cloud devs templating WAF logic like code.
Explore →hotcidr