Skip to main content

Fast, zero-dependency TLS risk analysis with OCSP revocation detection and structured decisions

Project description

TrustLint CLI

Fast, zero-dependency TLS risk analysis with OCSP revocation detection and structured decisions — powered by spl-tls-analyze.

Probes domains for TLS certificate validity, checks OCSP revocation, detects deprecated protocols (TLS 1.0/1.1), and produces ALLOW/REVIEW/DENY decisions across 20 risk categories with 5 severity levels. 3 operating profiles. JSON + Markdown structured output.

Beta software. Use for TLS risk assessment and CI guardrails; not a complete security audit.

Install

pip install spl-tls-analyze

Quickstart

# Analyze a single domain
spl-tls-analyze example.com

# Batch analysis with strict profile, JSON output
spl-tls-analyze domains.txt --profile strict --json-out report.json

# Markdown report with conservative profile
spl-tls-analyze domains.txt --profile conservative --markdown-out report.md

What It Detects

Category Severity Real-World Example
VALID_TLS NONE google.com
DEPRECATED_TLS_VERSION HIGH tls-v1-1.badssl.com
REVOKED_CERT CRITICAL revoked.badssl.com
EXPIRED_CERT HIGH expired.badssl.com
SELF_SIGNED_CERT HIGH self-signed.badssl.com
WRONG_HOST_CERT CRITICAL wrong.host.badssl.com
UNTRUSTED_CHAIN HIGH untrusted-root.badssl.com
INCOMPLETE_CHAIN HIGH incomplete-chain.badssl.com
WEAK_SIGNATURE_ALGORITHM HIGH sha1-intermediate.badssl.com
WEAK_CIPHER_SUITE HIGH rc4.badssl.com
STATIC_RSA_KEY_EXCHANGE MEDIUM dh2048.badssl.com
TLS_COMPRESSION_ENABLED MEDIUM (extinct in modern TLS)
WILDCARD_CERTIFICATE LOW badssl.com
MISSING_OCSP_STAPLE LOW github.com
DNS_FAILURE MEDIUM nonexistent.example.com
CONNECTION_ERROR MEDIUM unreachable host
TIMEOUT MEDIUM unresponsive server
TLS_HANDSHAKE_FAILURE MEDIUM dh480.badssl.com
OCSP_UNREACHABLE MEDIUM revoked.badssl.com
UNKNOWN_SSL_ERROR LOW sha1-intermediate.badssl.com

Profiles

Profile ALLOW Threshold HIGH Security Deprecated TLS Fallback ALLOW Use Case
balanced (default) REVIEW REVIEW Clean VALID_TLS General-purpose scanning
conservative REVIEW REVIEW Never High-sensitivity
strict DENY DENY Never Security-critical CI

Exit Codes

Code Meaning
0 All domains ALLOW
1 One or more REVIEW (no DENY)
2 One or more DENY
3 All domains errored
4 Invalid arguments

Output Example

{
  "domain": "expired.badssl.com",
  "final": {
    "decision": "DENY",
    "risk": "HIGH",
    "primary_reason": "Security risk (strict profile): RENEW_OR_DENY for EXPIRED_CERT",
    "recommended_action": "Renew or replace the certificate immediately."
  },
  "tls_probe": {
    "classification": "EXPIRED_CERT",
    "tls_version": null,
    "cert_is_expired": true,
    "resolved_ip": "104.154.89.93"
  }
}

TrustLint Audits

TrustLint commercial TLS audit reports are available for teams, freelancers, and web agencies that want a clear, client-ready review of their domains. See docs/COMMERCIAL_AUDITS.md and examples/sample_tls_audit_report.md.

Development

python -m pytest tests/ -q
python -m build

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spl_tls_analyze-0.3.3b0.tar.gz (56.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

spl_tls_analyze-0.3.3b0-py3-none-any.whl (44.5 kB view details)

Uploaded Python 3

File details

Details for the file spl_tls_analyze-0.3.3b0.tar.gz.

File metadata

  • Download URL: spl_tls_analyze-0.3.3b0.tar.gz
  • Upload date:
  • Size: 56.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for spl_tls_analyze-0.3.3b0.tar.gz
Algorithm Hash digest
SHA256 cf8c2e84f00bbd968f15218594b1deb5d94ff3308b9894e96e67e72498506a15
MD5 5252e3a978c2b2087a9d3ed9a76fc43d
BLAKE2b-256 fe4b91983b20c8ee858df32e88139699f7f4c2ae1d2e5f2f63afd90dab899045

See more details on using hashes here.

File details

Details for the file spl_tls_analyze-0.3.3b0-py3-none-any.whl.

File metadata

File hashes

Hashes for spl_tls_analyze-0.3.3b0-py3-none-any.whl
Algorithm Hash digest
SHA256 071b63ae71bb844d48811a261ea212465f4d559fb0699557fadc6e3bbf291937
MD5 864bbe54c4160d71b263d489ee0aa34c
BLAKE2b-256 fcf7d883c123888f426a5d7b2b5f0921e20e5a634fece769e59cbbcc95836e47

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page