1. Getting Started#
This guide walks you through running your first Cloudflare security assessment with FlareInspect.
1.1. Prerequisites#
Requirement |
Details |
|---|---|
Node.js |
Version 20 or later |
Cloudflare account |
With zones you want to assess |
API token |
Cloudflare API token with read permissions (see below) |
1.2. Create a Cloudflare API Token#
FlareInspect requires a Cloudflare API token with read-only access to the resources it assesses.
Log in to the Cloudflare dashboard.
Navigate to My Profile → API Tokens.
Click Create Token.
Select Create Custom Token (or start from a template).
Configure the following permissions:
Permission |
Scope |
Access |
|---|---|---|
Zone → Zone |
All zones (or specific zones) |
Read |
Zone → DNS |
All zones |
Read |
Zone → SSL and Certificates |
All zones |
Read |
Zone → Firewall Services |
All zones |
Read |
Account → Account Settings |
All accounts |
Read |
Optionally restrict the token to specific zone or account resources.
Click Continue to summary, then Create Token.
Copy the token value — you will pass it to FlareInspect via the
--tokenflag or theCLOUDFLARE_TOKENenvironment variable.
Tip
Store the token securely. Avoid committing it to source repositories. Use environment variables or a secret manager in CI/CD pipelines.
1.3. First Assessment#
Run your first assessment against all zones in your Cloudflare account:
flareinspect assess --token YOUR_CLOUDFLARE_TOKEN
Or, if installed from source:
node src/cli/index.js assess --token YOUR_CLOUDFLARE_TOKEN
FlareInspect scans your account and zones, runs all check categories, and prints a summary to the terminal. Results are also saved to a timestamped JSON file (e.g. flareinspect-20260412-143000.json).
1.3.1. Scope to Specific Zones#
Assess only selected zones:
flareinspect assess --token YOUR_CLOUDFLARE_TOKEN --zones example.com,staging.example.com
1.3.2. Run Specific Check Categories#
Run only DNS and SSL checks:
flareinspect assess --token YOUR_CLOUDFLARE_TOKEN --checks dns,ssl
1.4. Understanding the Output#
After each assessment, FlareInspect displays a summary with these components:
1.4.1. Grade and Score#
Component |
Description |
|---|---|
Grade |
Letter grade from A (best) to F (worst), derived from the numeric score |
Score |
Numeric score from 0 to 100, calculated from pass/fail findings weighted by severity |
1.4.2. Findings by Severity#
Each finding has a severity level:
Severity |
Meaning |
|---|---|
Critical |
Immediate risk — requires urgent remediation |
High |
Significant security gap — should be addressed soon |
Medium |
Moderate risk — remediation recommended |
Low |
Minor issue or informational — review when convenient |
1.4.3. Attack paths (v2.0)#
Since v2.0 the assessment also produces a resource graph (14 node
types, 8 edge types) and runs five rule-based attack-path detectors
that connect findings into chains of exposure
(exposed-origin, weak-transport, open-access-app,
tunnel-without-access, worker-plaintext-secret). Open the
dashboard’s Posture map page to visualise them, or query the
graph via GET /api/posture/graph. See
Resource Graph for the data model.
1.4.4. Top Risks#
The summary highlights the most impactful failed checks so you can prioritize remediation.
1.5. Generate an HTML Report#
Convert a saved assessment JSON file into a shareable HTML report:
flareinspect export -i flareinspect-20260412-143000.json -f html -o report.html
Open report.html in any browser to view the full interactive report.
1.6. Compare Two Runs#
Use the diff command to compare a baseline assessment against a current run and detect security posture drift:
flareinspect diff --baseline baseline.json --current latest.json
The diff output shows new findings, resolved findings, regressions, and improvements. An exit code of 1 indicates at least one regression was detected.
For a Markdown-formatted drift report:
flareinspect diff --baseline baseline.json --current latest.json -f markdown -o drift-report.md
1.7. Where to go next#
Posture Map — visualise the resource graph + attack paths in the dashboard
SIEM — ship findings to Elasticsearch or Splunk HEC
MCP Server — drive the full assess → plan → apply loop from an MCP-aware agent
Resource Graph — the typed node/edge model and the five attack-path detectors