# compliance-scan SSL/TLS configuration analysis with automated BSI/IANA compliance checking. ## Quick Start ```bash # Install poetry install # Scan server poetry run compliance-scan scan example.com:443,636 # Generate report poetry run compliance-scan report -t md -o report.md # Update IANA registry data poetry run compliance-scan update-iana ``` Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed. These messages are harmless and can be ignored. ## Features - Multi-port TLS/SSL scanning with SSLyze - BSI TR-02102-1/2 compliance validation - IANA recommendations checking - Vulnerability detection (Heartbleed, ROBOT, CCS Injection) - Certificate validation with key size compliance - Multiple report formats (CSV, Markdown, reStructuredText) - IANA registry updates from official sources ## Commands ### Scan ```bash compliance-scan scan :, [options] # Examples compliance-scan scan example.com:443,636 --print compliance-scan scan [2001:db8::1]:443 -db custom.db ``` Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed. Options: - `--print` - Display scan summary in console - `-db ` - Database file path (default: compliance_status.db) ### Report ```bash compliance-scan report [scan_id] -t [options] # Examples compliance-scan report -t md -o report.md compliance-scan report 5 -t csv --output-dir ./reports compliance-scan report --list ``` Options: - `-t ` - Report type: csv, md, markdown, rest, rst - `-o ` - Output file for Markdown/reStructuredText - `--output-dir ` - Output directory for CSV files - `--list` - List all available scans - `-db ` - Database file path ### Update IANA Data ```bash compliance-scan update-iana [-db ] # Example compliance-scan update-iana -db compliance_status.db ``` Updates IANA registry data from official sources. Default database contains IANA data as of 12/2024. ## Report Formats **CSV**: Granular files per port and category for data analysis. **Markdown**: Single comprehensive report with all findings. **reStructuredText**: Sphinx-compatible report with CSV table includes. ## Supported Protocols **Opportunistic TLS**: SMTP, LDAP, IMAP, POP3, FTP, XMPP, RDP, PostgreSQL **Direct TLS**: HTTPS, LDAPS, SMTPS, IMAPS, POP3S **SSH**: SSH (Port 22) ## Compliance Standards - BSI TR-02102-1: Certificate requirements - BSI TR-02102-2: TLS cipher suites and parameters - BSI TR-02102-4: SSH key exchange, encryption, MAC and authentication methods - IANA TLS Parameters: Cipher suites, signature schemes, supported groups - IANA SSH Parameters: Key exchange, encryption, MAC and compression algorithms ## Documentation **[Detailed Guide](docs/detailed-guide.md)** - Complete reference with database schema, compliance rules, and development information. ## Requirements - Python 3.13+ - Poetry - SSLyze 6.0.0+ ## Database Default location: `compliance_status.db` Template with reference data: `src/sslysze_scan/data/crypto_standards.db` Schema version: 5 (includes optimized views for reporting) ## Development ```bash # Run tests poetry run pytest # Update IANA reference data in template python3 -m sslysze_scan.iana_parser ``` ## Version Management Version is maintained in `pyproject.toml` and read dynamically at runtime.