Skip to main content

Cloudflare Executive Report - CLI for multi-zone reporting and cache

Project description

☁️ Cloudflare Executive Report

Turn Cloudflare analytics into executive-ready PDF reports with security scores, NIST mappings, and multi-zone portfolio views.

Security: Read-Only PyPI version Python 3.11+ License Coverage


🎯 Why this tool exists

Cloudflare dashboard data is great for daily ops, but executives need more:

Problem Solution
📅 Dashboard only shows recent data Historical windows beyond convenience
🌍 One zone at a time One report across many zones
📄 Raw numbers, no narrative Reusable PDFs with risk scoring and actions
🔍 Too much detail Concise leadership summaries

Cloudflare Executive Report fills that gap with local caching and deterministic PDF generation.


✨ What you get

Feature What it does for you
💾 Historical cache Sync once, generate reports later - no re-querying
🌍 Multi-zone portfolio One page with score, grade, and risks across all zones
📋 Executive summary Verdict, KPIs, takeaways, and actions per zone
🎯 Security score 0-100 + grade, based on real risk takeaways
🔐 NIST mapping Compliance context for auditors
📧 Email delivery Auto-send PDFs via SMTP after generation
🎨 Brand colors Match your company's primary/accent colors

📊 See it in action

Try the sample reports (generated from synthetic data):

Minimal Executive Detailed High Quality*
📄 View PDF 📊 View PDF 🔬 View PDF View PDF

*SVG/high quality = larger file size, sharper visuals for printing


🚀 Quick start (30 seconds)

pip install cloudflare-executive-report
cf-report init
cf-report sync --last 30
cf-report report -o security-report.pdf

That's it. You just generated your first executive report.


🎚️ Report profiles (choose your depth)

Profile Cover Portfolio Zone summary Details Best for
minimal Quick status check
executive Leadership (default)
detailed Technical deep dive

🔐 API token setup

Create a read-only API token in Cloudflare Dashboard → Manage AccountAccount API Tokens

Required permissions

Permission Required
Zone > Zone Read ✅ Yes
Zone > Analytics Read ✅ Yes
Zone > DNS Read ⚠️ Recommended
Zone > SSL and Certificates Read ⚠️ Recommended
Zone > Zone Settings Read ⚠️ Recommended
Zone > Firewall Services Read ⚠️ Recommended
Zone > WAF Read ⚠️ Recommended
Account > Access: Audit Logs Read ℹ️ Nice-to-have
Account > Account Settings Read ℹ️ Nice-to-have

✅ Required = Tool won't work | ⚠️ Recommended = Full features | ℹ️ Nice-to-have = Better validation

Quick validation

# Shows exactly which permissions you have
cf-report validate

Security notes

  • 🔒 Read-only only - The tool never needs write permissions
  • 💾 All data stays local - Cached in ~/.cf-report/, no telemetry
  • 📖 Full security guide → - Step-by-step token creation, data storage details, and security checklist

📈 How scoring works

Only risk takeaways affect your score. Everything else (win, action, comparison, observation) is informational.

Score = max(0, 100 - (total_risk_weight / 60) * 100)
Risk weight Score Grade Example
0 100 A+ No risks found
19 68 C+ SSL off (10) + WAF disabled (9)
26 57 C Three medium risks
60+ 0 F Critical security gaps

⏱️ Data retention (by Cloudflare plan)

Plan DNS Security HTTP
Free 7d 7d 30d
Pro 31d 7d 30d
Business 31d 31d 30d
Enterprise 62d 90d 30d

Days outside these windows = unavailable (cached, no API calls)


⚙️ Quick config (~/.cf-report/config.yaml)

api_token: "cfat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
cache_dir: "~/.cf-report/cache"
history_dir: "~/.cf-report/history"
log_level: "info"
exclude_types:
  - email

zones:
  - id: "abc123..."
    name: "example.com"

pdf:
  profile: "executive" # minimal | executive | detailed
  chart_format: "png" # png | svg
  map_format: "png" # png | svg
  colors:
    primary: "#2563eb" # your brand color
    accent: "#f38020"

email:
  enabled: true
  smtp_host: "smtp.example.com"
  recipients:
    - "security@example.com"

ai-summary:
  enabled: true
  model: "openrouter/google/gemma-2-9b-it:free"

🛠️ CLI cheat sheet

# Sync data
cf-report sync --last 30                    # Last 30 days
cf-report sync --zone example.com --last 7  # Single zone

# Generate report
cf-report report -o report.pdf              # Basic PDF
cf-report report -o report.pdf --email      # PDF + email
cf-report report -o report.pdf --profile minimal  # Override PDF profile
cf-report report --exclude-types email,cache # Exclude specific streams
cf-report report --skip-zone-health         # Skip health checks

# Manage zones
cf-report zones list
cf-report zones add --id abc123 --name example.com

# Clean cache
cf-report clean --older-than 90

# Generate report with AI summary and send it by email
cf-report report -o report.pdf --email --ai-summary

📚 Documentation

Guide What it covers
User guide Full CLI reference and config
AI Summary: Powered by LLMs (Optional) AI summary and email generation
Dashboard verification Compare report vs Cloudflare UI
Reliability metrics Understanding approximations
Developer docs Architecture and internals

❓ Common questions

How accurate are the metrics? Trend-oriented approximations. Use for executive posture guidance, not packet-level forensics.

Can I run this in CI/CD? Yes - works headless. Set CF_REPORT_API_TOKEN (preferred) and pass --config to a non-secret config file.

What if I have 100+ zones? Works fine. Sync may take a while initially, but caching helps.


📦 Links


📄 License

MIT - go wild. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloudflare_executive_report-1.1.3.tar.gz (1.8 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloudflare_executive_report-1.1.3-py3-none-any.whl (207.7 kB view details)

Uploaded Python 3

File details

Details for the file cloudflare_executive_report-1.1.3.tar.gz.

File metadata

File hashes

Hashes for cloudflare_executive_report-1.1.3.tar.gz
Algorithm Hash digest
SHA256 dd0ed7d1a31c652e8cd1fa985703b3667fd4cd0ca6b814eaa77749beccc1667c
MD5 3864d40dc38319c880db6e209d33641f
BLAKE2b-256 c4c58fce1caf0a54cae355d0ec62ed8a2b59f5ecdf7a1fd97bb1008e23fe6cc4

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloudflare_executive_report-1.1.3.tar.gz:

Publisher: publish.yml on vhsantos/cloudflare-executive-report

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cloudflare_executive_report-1.1.3-py3-none-any.whl.

File metadata

File hashes

Hashes for cloudflare_executive_report-1.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 66bfd82977a6231d78dc1d393346ece85bc00a5524ac7dac1545534ae1e79ce9
MD5 f37246f2c7395e11a0f028c5eaf89a29
BLAKE2b-256 eb2883554ecf98aa3d41f2aaf02b57b46cc4950df685a4c019cbc859c1db7190

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloudflare_executive_report-1.1.3-py3-none-any.whl:

Publisher: publish.yml on vhsantos/cloudflare-executive-report

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page