4.1. assess Command#
Run a comprehensive Cloudflare security assessment against your account and zones.
4.1.1. Usage#
flareinspect assess [options]
4.1.2. Options#
Option |
Description |
Default |
|---|---|---|
|
Cloudflare API token (required) |
— |
|
Output file path for assessment results |
Auto-generated timestamped file |
|
Output format: |
|
|
Skip automatic export of results |
— |
|
CI/CD mode: JSON to stdout, no spinners, exit codes by threshold |
— |
|
Minimum security score (0-100) to pass in CI mode |
— |
|
Fail if any finding at or above severity |
— |
|
Comma-separated list of zone names to assess |
All zones |
|
Comma-separated list of zone names to exclude |
— |
|
Comma-separated list of check categories to run |
All categories |
|
Number of zones to assess in parallel |
|
|
Generate compliance report: |
— |
|
Data sensitivity level: |
— |
|
Enable debug logging |
— |
4.1.3. Check Categories#
The following 34 check categories can be targeted with --checks:
Category |
Description |
|---|---|
|
Account-level settings and configuration |
|
Account-scope WAF / DDoS coverage |
|
Cloudflare Access application depth (allow-everyone, MFA, posture) |
|
AI Gateway security configuration |
|
API gateway and shielding configuration |
|
Attack surface reduction rules |
|
Bot management and mitigation |
|
Cache security and configuration |
|
CASB open critical/high findings |
|
Leaked credentials detection |
|
Custom hostname security |
|
L7 DDoS posture |
|
Data Loss Prevention policies |
|
DNS record security and resolution |
|
Email routing & SPF / DKIM / DMARC |
|
Cloud Email Security policies |
|
Secure Web Gateway policies |
|
Load Balancing posture |
|
Log push destination and coverage |
|
Magic Firewall / Magic Transit rulesets |
|
Mutual TLS authentication settings |
|
Security notification policies (4 alert types) |
|
Page Shield script monitoring |
|
Cloudflare Pages deployment security |
|
Performance settings (Brotli, HTTP/2-3, cache deception armor) |
|
Device posture rules |
|
Browser Isolation policies |
|
Rules / rate-limit rules |
|
Security Center insights |
|
Security.txt presence and validity |
|
Cache and transform snippets |
|
Spectrum (TCP/UDP) configuration |
|
SSL/TLS certificate and configuration |
|
Workers KV / D1 / Queues inventory |
|
Cloudflare Tunnels configuration |
|
Turnstile configuration |
|
Web Application Firewall rules and policies |
|
Workers script inventory and plaintext-secret bindings |
|
Zaraz third-party tools and consent |
|
Zero Trust network access configuration |
Note
Several category names have aliases (e.g. leaked-credentials
→ credentials, magic-firewall → magic,
device-posture → posture, browser-isolation → rbi).
The full alias map is in
src/core/services/assessmentService.js.
4.1.4. CI Mode#
CI mode is designed for automated pipelines. It:
Outputs the full assessment JSON to stdout (no spinners or banners)
Suppresses all interactive terminal output
Sets the process exit code based on
--thresholdand--fail-on
4.1.4.1. Exit Code Logic#
Condition |
Exit Code |
|---|---|
Assessment passes threshold and severity gate |
|
Overall score < |
|
Any finding at or above |
|
Assessment itself fails (invalid token, API error) |
|
4.1.5. Examples#
Basic Assessment
flareinspect assess --token $CLOUDFLARE_TOKEN
Targeted Assessment
flareinspect assess --token $CLOUDFLARE_TOKEN --zones example.com --checks dns,ssl,waf
CI/CD with Gating
flareinspect assess --token $CLOUDFLARE_TOKEN --ci --threshold 80 --fail-on high
With Compliance Report
flareinspect assess --token $CLOUDFLARE_TOKEN --compliance cis --sensitivity high