Cloud Imports
netbobr can import native cloud firewall configurations from 6 platforms, extracting flows and analyzing them against all 6 compliance frameworks. Both the browser app (drag-and-drop) and the CLI support cloud format imports with automatic format detection.
Format Comparison
| Format | CLI Flag | Browser | Auto-Detect | Match Rate (CLI) | Match Rate (Browser) |
|---|---|---|---|---|---|
| AWS Security Groups | aws-sg | Yes | Yes | 79.5% | 79.5% |
| Azure NSG | azure-nsg | Yes | Yes | 97.0% | 97.0% |
| GCP Firewall Rules | gcp-fw | Yes | Yes | 79.5% | 79.5% |
| Terraform Plan JSON | tf-plan | Yes | Yes | 97.0% | 97.0% |
| Terraform HCL | -- | Yes (browser only) | Yes | -- | 10.3% |
| Kubernetes NetworkPolicy | k8s-netpol | Yes | Yes | 77.3% | 77.3% |
Match rates are measured against a 400-rule CSV baseline covering wide-open rules, risky ports, container ports, database ports, ICMP, port ranges, protocol variety, CIDR ranges, and edge cases.
How It Works
- Export your firewall configuration from your cloud provider using the provider's CLI or console
- Upload the exported file by dragging it onto the browser import area, or pipe it to the CLI
- Analyze -- netbobr automatically detects the format, extracts individual flows, and evaluates each flow against all 6 compliance frameworks (PCI-DSS, CIS Controls, NIST 800-53, NIS2, DORA, MITRE ATT&CK)
Each parsed flow receives a risk score (0-100), compliance findings, and zone assignments just like manually entered flows.
Browser vs CLI
Both the browser and CLI use automatic format detection -- you do not need to specify the format manually (though the CLI accepts --cloud-format for explicit selection).
| Capability | Browser | CLI |
|---|---|---|
| Formats supported | 6 (including TF HCL) | 5 (no TF HCL) |
| Auto-detection | Yes (auto) | Yes (auto or explicit --cloud-format) |
| Field accuracy | 100% on matched flows | 100% on matched flows |
| Output formats | Interactive table, CSV export, PDF | JSON, CSV, table, SARIF, PDF |
| CI/CD integration | -- | Exit codes, SARIF upload |
The browser includes a Terraform HCL parser that handles basic .tf files. The CLI does not support HCL -- use terraform show -json to convert HCL to plan JSON first.
In the browser, cloud imports are subject to the same 500-row limit as CSV imports. Cloud configs can expand into many flows (each rule multiplies source prefixes × destination prefixes × port ranges); flows beyond the first 500 are ignored and the upload status reports how many were dropped.
When flows match between CLI and browser, risk scores, risk levels, and verdicts are identical (100% field accuracy).
Platform Pages
- AWS Security Groups --
aws ec2 describe-security-groupsoutput - Azure NSG --
az network nsg show/az network nsg listoutput - GCP Firewall Rules --
gcloud compute firewall-rules listoutput - Terraform Plan JSON --
terraform show -jsonoutput - Terraform HCL --
.tffiles (browser only) - Kubernetes NetworkPolicy --
kubectl get networkpolicy -o yamloutput
See Also
- CSV Import -- bulk-validate up to 500 firewall rules from a CSV file
- GitHub Actions -- integrate cloud format analysis into CI/CD pipelines