vrp-ir 0.9.0: a line-cited security audit for Huawei VRP/USG configs

The Problem

If you do acceptance or audit work on Huawei gear, you've hit this wall:

• Batfish explicitly marks Huawei VRP as unsupported.
• ntc-templates parses display show-commands, not config files.
• So you're back to grep + screenshots over display current-configuration.

vrp-ir fills exactly that gap, and 0.9.0 is out.

What It Does

It parses an offline Huawei VRP/USG config into a typed model where every value carries a SourceRef back to its exact file:line - then turns that into a security acceptance audit where every finding cites the line it's based on.

pip install vrp-ir
vrp-ir audit firewall.cfg          # Markdown report, every finding line-cited
vrp-ir audit firewall.cfg --strict # exit 1 on FAIL -> drop it in CI

New in 0.9.0

• SARIF + JUnit output - pipe the audit into GitHub/GitLab code scanning or a CI gate. A permit-any rule or cleartext Telnet now fails the build with the line.
• SNMPv3 checks (+ 16 others: cleartext mgmt, weak SSH ciphers, missing NTP, default-deny, permit-scope, address-set-resolves-to-any…). 17 checks total.
• GB18030 / Chinese configs parse cleanly - real-world configs, not just ASCII.
• Evidence policy - "no source, no claim": a finding never asserts PASS/FAIL without a cited line; coverage gaps are surfaced, not hidden.
• Advisory standards mapping to common control domains (incl. China's MLPS Level 3/4) - advisory, not a certification.
• Zero runtime dependencies.
• Apache-2.0.

Why Provenance Matters

An audit tool's worst failure is a wrong finding that looks authoritative. So vrp-ir's rule is the opposite of most linters: if it can't trace a fact to a source line, it says so (UNCHECKED) rather than bluffing a pass.

It's the open core of AegisTwin (acceptance at scale). The single most useful contribution is a real, de-identified config we parse wrong - that's the best possible issue.

→ https://github.com/zynovexllc/vrp-ir