RSS

Purple Wolf – A fast, verifiable WAF for Traefik

Vicbona1 pts0 comments

Purple Wolf - A fast, verifiable WAF for Traefik

Skip to content

Traefik WASM WAF · v0.4.1 released

A fast, verifiable WAF for Traefik.

Purple Wolf runs as a Traefik WASM plugin, ships signed release<br>artifacts, publishes SBOMs and digest-pinned images, and supports a<br>monitor-first Kubernetes rollout through Helm and Kustomize.

Try the demo<br>View v0.4.1 release<br>Install with Helm

Traefik WASM plugin

Signed artifacts

SPDX SBOMs

Helm OCI chart

Monitor-first rollout

Built for rollout, not shelfware

Three teams, one request path.

Security engineers

Threat boundaries, signed releases, SBOMs, and HMAC-signed relay events for SIEM or tenant webhook delivery.

Read the threat model

DevOps and Kubernetes operators

Helm, Kustomize, hardened container defaults, digest-pinned images, and monitor-first rollout guidance.

Open production notes

Traefik users

A WASM plugin that fits Traefik Middleware workflows, with a local demo and monitor/enforce examples.

Run the local demo

Benchmark snapshot

Low overhead, bounded claims.

Same Traefik http-wasm shape, same resource budget, same yardstick.<br>This is not a claim that Purple Wolf is better than every Coraza<br>deployment or every WAF mode.

+0.1-0.2 ms<br>isolated p99 WAF overhead

~8,000 RPS<br>sustained under tested resources

80-96 MiB<br>memory band during soak

14.55% vs 6.11%<br>detection in same-shape http-wasm comparison

Read the full methodology and caveats

How it works

Inline inspection, out-of-band audit delivery.

01<br>Traefik receives the request

Attach Purple Wolf Middleware to selected routes without changing your backend service.

02<br>The WASM plugin inspects

Headers, URL, query parameters, and capped request bodies are evaluated in the request path.

03<br>The relay fans out audit events

Run the relay when signed webhook delivery to SIEM, Slack bridges, or tenant subscribers is needed.

Install paths

Try locally, then roll out deliberately.

Local demo

Traefik, Purple Wolf WASM, backend echo service, relay, and HMAC-verifying subscriber.

Copy<br>docker compose -f examples/demo/docker-compose.yml up --build

Helm OCI chart

Install monitor-mode examples without attaching them to production routes automatically.

Copy<br>helm install purple-wolf oci://ghcr.io/guaracloud/charts/purple-wolf \<br>--version 0.4.1 \<br>-f charts/purple-wolf/values.monitor.yaml

Kustomize

Start from the monitor-mode overlay and attach Middleware route by route.

Copy<br>kubectl apply -k deploy/kubernetes/overlays/monitor-mode

Verify before production

Install by digest, not by hope.

Every public release includes a manifest, signatures, checksums, SBOMs, image digests, and the Helm chart digest.

release-manifest.json

Cosign signatures

SPDX SBOMs

GHCR image digests

Helm OCI digest

Open verification guide

Rollout model

Monitor first. Enforce deliberately.

Install monitor-mode examples.

Attach purple-wolf-monitor to selected routes.

Inspect audit events and webhook output.

Tune policy and body limits.

Opt into enforce mode route by route.

traefik monitor purple wolf wasm helm

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.