Traefik WASM WAF ยท v0.3 released

A fast, verifiable WAF for Traefik.

Purple Wolf runs as a Traefik WASM plugin, ships signed release artifacts, publishes SBOMs and digest-pinned images, and supports a monitor-first Kubernetes rollout through Helm and Kustomize.

Try the demo View v0.3 release Install with Helm
  • Traefik WASM plugin
  • Signed artifacts
  • SPDX SBOMs
  • Helm OCI chart
  • Monitor-first rollout
Purple Wolf shield logo

Built for rollout, not shelfware

Three teams, one request path.

Security engineers

Threat boundaries, signed releases, SBOMs, and HMAC-signed relay events for SIEM or tenant webhook delivery.

Read the threat model

DevOps and Kubernetes operators

Helm, Kustomize, hardened container defaults, digest-pinned images, and monitor-first rollout guidance.

Open production notes

Traefik users

A WASM plugin that fits Traefik Middleware workflows, with a local demo and monitor/enforce examples.

Run the local demo

Benchmark snapshot

Low overhead, bounded claims.

Same Traefik http-wasm shape, same resource budget, same yardstick. This is not a claim that Purple Wolf is better than every Coraza deployment or every WAF mode.

+0.1-0.2 ms isolated p99 WAF overhead
~8,000 RPS sustained under tested resources
80-96 MiB memory band during soak
14.55% vs 6.11% detection in same-shape http-wasm comparison
Read the full methodology and caveats

How it works

Inline inspection, out-of-band audit delivery.

01

Traefik receives the request

Attach Purple Wolf Middleware to selected routes without changing your backend service.

02

The WASM plugin inspects

Headers, URL, query parameters, and capped request bodies are evaluated in the request path.

03

The relay fans out audit events

Run the relay when signed webhook delivery to SIEM, Slack bridges, or tenant subscribers is needed.

Install paths

Try locally, then roll out deliberately.

Local demo

Traefik, Purple Wolf WASM, backend echo service, relay, and HMAC-verifying subscriber.

docker compose -f examples/demo/docker-compose.yml up --build

Helm OCI chart

Install monitor-mode examples without attaching them to production routes automatically.

helm install purple-wolf oci://ghcr.io/guaracloud/charts/purple-wolf \
  --version 0.3.0 \
  -f charts/purple-wolf/values.monitor.yaml

Kustomize

Start from the monitor-mode overlay and attach Middleware route by route.

kubectl apply -k deploy/kubernetes/overlays/monitor-mode

Verify before production

Install by digest, not by hope.

Every public release includes a manifest, signatures, checksums, SBOMs, image digests, and the Helm chart digest.

  • release-manifest.json
  • Cosign signatures
  • SPDX SBOMs
  • GHCR image digests
  • Helm OCI digest
Open verification guide

Rollout model

Monitor first. Enforce deliberately.

  1. Install monitor-mode examples.
  2. Attach purple-wolf-monitor to selected routes.
  3. Inspect audit events and webhook output.
  4. Tune policy and body limits.
  5. Opt into enforce mode route by route.