Skip to main content

Fast, zero-dependency TLS risk analysis with OCSP revocation detection and structured decisions

Project description

TrustLint CLI

Fast, zero-dependency TLS risk analysis with OCSP revocation detection (where OCSP URL present in certificate AIA) and structured decisions — powered by spl-tls-analyze.

Probes domains for TLS certificate validity, checks OCSP revocation (where available), detects deprecated protocols (TLS 1.0/1.1), and produces ALLOW/REVIEW/DENY decisions across 20 risk categories with 5 severity levels. 3 operating profiles. JSON + Markdown structured output.

Beta software. Use for TLS risk assessment and CI guardrails; not a complete security audit.

Install

pip install spl-tls-analyze

Quickstart

# Analyze a single domain
spl-tls-analyze example.com

# Batch analysis with strict profile, JSON output
spl-tls-analyze domains.txt --profile strict --json-out report.json

# Markdown report with conservative profile
spl-tls-analyze domains.txt --profile conservative --markdown-out report.md

Free 5-Domain Sample Report

TrustLint CLI is open source and free to run locally on any number of domains — no limits, no license key required.

The free 5-domain sample report is a commercial service preview, not a CLI restriction. Submit up to 5 domains you own or are authorized to test, and receive a lightweight preview of what a TrustLint Audit looks like.

Important: This is not a full security audit, penetration test, compliance certification, or security guarantee. It is a preview of the TrustLint Audits service.

Request a free sample report by opening an Audit Request issue.

Paid TrustLint Audits are available for full client-ready reports, white-label agency reports, and monthly monitoring.

What It Detects

Category Severity Real-World Example
VALID_TLS NONE google.com
DEPRECATED_TLS_VERSION HIGH tls-v1-1.badssl.com
REVOKED_CERT CRITICAL revoked.badssl.com
EXPIRED_CERT HIGH expired.badssl.com
SELF_SIGNED_CERT HIGH self-signed.badssl.com
WRONG_HOST_CERT CRITICAL wrong.host.badssl.com
UNTRUSTED_CHAIN HIGH untrusted-root.badssl.com
INCOMPLETE_CHAIN HIGH incomplete-chain.badssl.com
WEAK_SIGNATURE_ALGORITHM HIGH sha1-intermediate.badssl.com
WEAK_CIPHER_SUITE HIGH rc4.badssl.com
STATIC_RSA_KEY_EXCHANGE MEDIUM dh2048.badssl.com
TLS_COMPRESSION_ENABLED MEDIUM (extinct in modern TLS)
WILDCARD_CERTIFICATE LOW badssl.com
MISSING_OCSP_STAPLE LOW github.com
DNS_FAILURE MEDIUM nonexistent.example.com
CONNECTION_ERROR MEDIUM unreachable host
TIMEOUT MEDIUM unresponsive server
TLS_HANDSHAKE_FAILURE MEDIUM dh480.badssl.com
OCSP_UNREACHABLE MEDIUM unreachable OCSP responder
UNKNOWN_SSL_ERROR LOW sha1-intermediate.badssl.com

Profiles

Profile ALLOW Threshold HIGH Security Deprecated TLS Fallback ALLOW Use Case
balanced (default) REVIEW REVIEW Clean VALID_TLS General-purpose scanning
conservative REVIEW REVIEW Never High-sensitivity
strict DENY DENY Never Security-critical CI

Exit Codes

Code Meaning
0 All domains ALLOW
1 One or more REVIEW (no DENY)
2 One or more DENY
3 All domains errored
4 Invalid arguments

Output Example

{
  "domain": "expired.badssl.com",
  "final": {
    "decision": "DENY",
    "risk": "HIGH",
    "primary_reason": "Security risk (strict profile): RENEW_OR_DENY for EXPIRED_CERT",
    "recommended_action": "Renew or replace the certificate immediately."
  },
  "tls_probe": {
    "classification": "EXPIRED_CERT",
    "tls_version": null,
    "cert_is_expired": true,
    "resolved_ip": "104.154.89.93"
  }
}

TrustLint Audits

TrustLint commercial TLS audit reports are available for teams, freelancers, and web agencies that want a clear, client-ready review of their domains.

Start free: docs/FREE_SAMPLE_REPORT.md — up to 5 domains, service preview.

Upgrade to paid: docs/COMMERCIAL_AUDITS.md — client-ready reports, white-label delivery, monthly monitoring, and support.

See a sample: examples/sample_tls_audit_report.md.

Development

python -m pytest tests/ -q
python -m build

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spl_tls_analyze-0.4.0b0.tar.gz (59.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

spl_tls_analyze-0.4.0b0-py3-none-any.whl (47.3 kB view details)

Uploaded Python 3

File details

Details for the file spl_tls_analyze-0.4.0b0.tar.gz.

File metadata

  • Download URL: spl_tls_analyze-0.4.0b0.tar.gz
  • Upload date:
  • Size: 59.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for spl_tls_analyze-0.4.0b0.tar.gz
Algorithm Hash digest
SHA256 12ff77e05f93e2b4c5148c597a67133fb1f398bf0c32f3b93f68f75e0a0a3ee5
MD5 2bee406bdb4cbf8cb993cd28432d16fe
BLAKE2b-256 ee2d553fa5d981371cbe4d308bffc8ab91888e07e15841787856703e8f2a056f

See more details on using hashes here.

File details

Details for the file spl_tls_analyze-0.4.0b0-py3-none-any.whl.

File metadata

File hashes

Hashes for spl_tls_analyze-0.4.0b0-py3-none-any.whl
Algorithm Hash digest
SHA256 4563daeda6a9da823b6e265d994cc6680f05f687318acaaa52b37fced0b8c98b
MD5 046bfcc4717bec99b36cc6c74838a993
BLAKE2b-256 379b59de61faef46f8e29a2c66bb5071f82ea8e0afb0f401ffe929d475058238

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page