Fast, zero-dependency TLS risk analysis with OCSP revocation detection and structured decisions
Project description
TrustLint CLI
Fast, zero-dependency TLS risk analysis with OCSP revocation detection (where OCSP URL present in certificate AIA) and structured decisions — powered by spl-tls-analyze.
Probes domains for TLS certificate validity, checks OCSP revocation (where available), detects deprecated protocols (TLS 1.0/1.1), and produces ALLOW/REVIEW/DENY decisions across 20 risk categories with 5 severity levels. 3 operating profiles. JSON + Markdown structured output.
Beta software. Use for TLS risk assessment and CI guardrails; not a complete security audit.
Install
pip install spl-tls-analyze
Quickstart
# Analyze a single domain
spl-tls-analyze example.com
# Batch analysis with strict profile, JSON output
spl-tls-analyze domains.txt --profile strict --json-out report.json
# Markdown report with conservative profile
spl-tls-analyze domains.txt --profile conservative --markdown-out report.md
Free 5-Domain Sample Report
TrustLint CLI is open source and free to run locally on any number of domains — no limits, no license key required.
The free 5-domain sample report is a commercial service preview, not a CLI restriction. Submit up to 5 domains you own or are authorized to test, and receive a lightweight preview of what a TrustLint Audit looks like.
Important: This is not a full security audit, penetration test, compliance certification, or security guarantee. It is a preview of the TrustLint Audits service.
Request a free sample report by opening an Audit Request issue.
Paid TrustLint Audits are available for full client-ready reports, white-label agency reports, and monthly monitoring.
What It Detects
| Category | Severity | Real-World Example |
|---|---|---|
| VALID_TLS | NONE | google.com |
| DEPRECATED_TLS_VERSION | HIGH | tls-v1-1.badssl.com |
| REVOKED_CERT | CRITICAL | revoked.badssl.com |
| EXPIRED_CERT | HIGH | expired.badssl.com |
| SELF_SIGNED_CERT | HIGH | self-signed.badssl.com |
| WRONG_HOST_CERT | CRITICAL | wrong.host.badssl.com |
| UNTRUSTED_CHAIN | HIGH | untrusted-root.badssl.com |
| INCOMPLETE_CHAIN | HIGH | incomplete-chain.badssl.com |
| WEAK_SIGNATURE_ALGORITHM | HIGH | sha1-intermediate.badssl.com |
| WEAK_CIPHER_SUITE | HIGH | rc4.badssl.com |
| STATIC_RSA_KEY_EXCHANGE | MEDIUM | dh2048.badssl.com |
| TLS_COMPRESSION_ENABLED | MEDIUM | (extinct in modern TLS) |
| WILDCARD_CERTIFICATE | LOW | badssl.com |
| MISSING_OCSP_STAPLE | LOW | github.com |
| DNS_FAILURE | MEDIUM | nonexistent.example.com |
| CONNECTION_ERROR | MEDIUM | unreachable host |
| TIMEOUT | MEDIUM | unresponsive server |
| TLS_HANDSHAKE_FAILURE | MEDIUM | dh480.badssl.com |
| OCSP_UNREACHABLE | MEDIUM | unreachable OCSP responder |
| UNKNOWN_SSL_ERROR | LOW | sha1-intermediate.badssl.com |
Profiles
| Profile | ALLOW Threshold | HIGH Security | Deprecated TLS | Fallback ALLOW | Use Case |
|---|---|---|---|---|---|
| balanced (default) | — | REVIEW | REVIEW | Clean VALID_TLS | General-purpose scanning |
| conservative | — | REVIEW | REVIEW | Never | High-sensitivity |
| strict | — | DENY | DENY | Never | Security-critical CI |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All domains ALLOW |
| 1 | One or more REVIEW (no DENY) |
| 2 | One or more DENY |
| 3 | All domains errored |
| 4 | Invalid arguments |
Output Example
{
"domain": "expired.badssl.com",
"final": {
"decision": "DENY",
"risk": "HIGH",
"primary_reason": "Security risk (strict profile): RENEW_OR_DENY for EXPIRED_CERT",
"recommended_action": "Renew or replace the certificate immediately."
},
"tls_probe": {
"classification": "EXPIRED_CERT",
"tls_version": null,
"cert_is_expired": true,
"resolved_ip": "104.154.89.93"
}
}
TrustLint Audits
TrustLint commercial TLS audit reports are available for teams, freelancers, and web agencies that want a clear, client-ready review of their domains.
Start free: docs/FREE_SAMPLE_REPORT.md — up to 5 domains, service preview.
Upgrade to paid: docs/COMMERCIAL_AUDITS.md — client-ready reports, white-label delivery, monthly monitoring, and support.
See a sample: examples/sample_tls_audit_report.md.
Development
python -m pytest tests/ -q
python -m build
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file spl_tls_analyze-0.4.0b0.tar.gz.
File metadata
- Download URL: spl_tls_analyze-0.4.0b0.tar.gz
- Upload date:
- Size: 59.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
12ff77e05f93e2b4c5148c597a67133fb1f398bf0c32f3b93f68f75e0a0a3ee5
|
|
| MD5 |
2bee406bdb4cbf8cb993cd28432d16fe
|
|
| BLAKE2b-256 |
ee2d553fa5d981371cbe4d308bffc8ab91888e07e15841787856703e8f2a056f
|
File details
Details for the file spl_tls_analyze-0.4.0b0-py3-none-any.whl.
File metadata
- Download URL: spl_tls_analyze-0.4.0b0-py3-none-any.whl
- Upload date:
- Size: 47.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4563daeda6a9da823b6e265d994cc6680f05f687318acaaa52b37fced0b8c98b
|
|
| MD5 |
046bfcc4717bec99b36cc6c74838a993
|
|
| BLAKE2b-256 |
379b59de61faef46f8e29a2c66bb5071f82ea8e0afb0f401ffe929d475058238
|