pub/compliance-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
compliance-scan/README.md
Heiko f60de7c2da Add SSH scan support with BSI TR-02102-4 compliance 
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys)
- BSI TR-02102-4 and IANA compliance validation for SSH
- CSV/Markdown/reST reports for SSH results
- Unified compliance schema and database views
- Code optimization: modular query/writer architecture
2026-01-23 11:05:01 +01:00

3.3 KiB
Raw Permalink Blame History

compliance-scan

SSL/TLS configuration analysis with automated BSI/IANA compliance checking.

Quick Start

# Install
poetry install

# Scan server
poetry run compliance-scan scan example.com:443,636

# Generate report
poetry run compliance-scan report -t md -o report.md

# Update IANA registry data
poetry run compliance-scan update-iana

Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed. These messages are harmless and can be ignored.

Features

  • Multi-port TLS/SSL scanning with SSLyze
  • BSI TR-02102-1/2 compliance validation
  • IANA recommendations checking
  • Vulnerability detection (Heartbleed, ROBOT, CCS Injection)
  • Certificate validation with key size compliance
  • Multiple report formats (CSV, Markdown, reStructuredText)
  • IANA registry updates from official sources

Commands

Scan

compliance-scan scan <hostname>:<port1>,<port2> [options]

# Examples
compliance-scan scan example.com:443,636 --print
compliance-scan scan [2001:db8::1]:443 -db custom.db

Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed.

Options:

  • --print - Display scan summary in console
  • -db <path> - Database file path (default: compliance_status.db)

Report

compliance-scan report [scan_id] -t <type> [options]

# Examples
compliance-scan report -t md -o report.md
compliance-scan report 5 -t csv --output-dir ./reports
compliance-scan report --list

Options:

  • -t <type> - Report type: csv, md, markdown, rest, rst
  • -o <file> - Output file for Markdown/reStructuredText
  • --output-dir <dir> - Output directory for CSV files
  • --list - List all available scans
  • -db <path> - Database file path

Update IANA Data

compliance-scan update-iana [-db <path>]

# Example
compliance-scan update-iana -db compliance_status.db

Updates IANA registry data from official sources. Default database contains IANA data as of 12/2024.

Report Formats

CSV: Granular files per port and category for data analysis.

Markdown: Single comprehensive report with all findings.

reStructuredText: Sphinx-compatible report with CSV table includes.

Supported Protocols

Opportunistic TLS: SMTP, LDAP, IMAP, POP3, FTP, XMPP, RDP, PostgreSQL

Direct TLS: HTTPS, LDAPS, SMTPS, IMAPS, POP3S

SSH: SSH (Port 22)

Compliance Standards

  • BSI TR-02102-1: Certificate requirements
  • BSI TR-02102-2: TLS cipher suites and parameters
  • BSI TR-02102-4: SSH key exchange, encryption, MAC and authentication methods
  • IANA TLS Parameters: Cipher suites, signature schemes, supported groups
  • IANA SSH Parameters: Key exchange, encryption, MAC and compression algorithms

Documentation

Detailed Guide - Complete reference with database schema, compliance rules, and development information.

Requirements

  • Python 3.13+
  • Poetry
  • SSLyze 6.0.0+

Database

Default location: compliance_status.db

Template with reference data: src/sslysze_scan/data/crypto_standards.db

Schema version: 5 (includes optimized views for reporting)

Development

# Run tests
poetry run pytest

# Update IANA reference data in template
python3 -m sslysze_scan.iana_parser

Version Management

Version is maintained in pyproject.toml and read dynamically at runtime.

Reference in New Issue View Git Blame Copy Permalink