If you do acceptance or audit work on Huawei gear, you've hit this wall:
- Batfish explicitly marks Huawei VRP as unsupported.
-
ntc-templates parses
displayshow-commands, not config files. - So you're back to
grep+ screenshots overdisplay current-configuration.
vrp-ir fills exactly that gap, and 0.9.0 is out.
What it does
It parses an offline Huawei VRP/USG config into a typed model where every value carries a SourceRef back to its exact file:line — then turns that into a security acceptance audit where every finding cites the line it's based on.
pip install vrp-ir
vrp-ir audit firewall.cfg # Markdown report, every finding line-cited
vrp-ir audit firewall.cfg --strict # exit 1 on FAIL -> drop it in CI
New in 0.9.0
- SARIF + JUnit output — pipe the audit into GitHub/GitLab code scanning or a CI gate. A permit-any rule or cleartext Telnet now fails the build with the line.
- SNMPv3 checks (+ 16 others: cleartext mgmt, weak SSH ciphers, missing NTP, default-deny, permit-scope, address-set-resolves-to-any…). 17 checks total.
- GB18030 / Chinese configs parse cleanly — real-world configs, not just ASCII.
- Evidence policy — "no source, no claim": a finding never asserts PASS/FAIL without a cited line; coverage gaps are surfaced, not hidden.
- Advisory standards mapping to common control domains (incl. China's MLPS Level 3/4) — advisory, not a certification.
Zero runtime dependencies. Apache-2.0.
Why provenance matters
An audit tool's worst failure is a wrong finding that looks authoritative. So vrp-ir's rule is the opposite of most linters: if it can't trace a fact to a source line, it says so (UNCHECKED) rather than bluffing a pass.
It's the open core of AegisTwin (acceptance at scale). The single most useful contribution is a real, de-identified config we parse wrong — that's the best possible issue.
Top comments (0)