pub/compliance-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
compliance-scan/README.md
Heiko f60de7c2da Add SSH scan support with BSI TR-02102-4 compliance 
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys)
- BSI TR-02102-4 and IANA compliance validation for SSH
- CSV/Markdown/reST reports for SSH results
- Unified compliance schema and database views
- Code optimization: modular query/writer architecture
2026-01-23 11:05:01 +01:00

137 lines
3.3 KiB
Markdown
Raw Permalink Blame History

# compliance-scan
SSL/TLS configuration analysis with automated BSI/IANA compliance checking.
## Quick Start
```bash
# Install
poetry install
# Scan server
poetry run compliance-scan scan example.com:443,636
# Generate report
poetry run compliance-scan report -t md -o report.md
# Update IANA registry data
poetry run compliance-scan update-iana
```
Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed. These messages are harmless and can be ignored.
## Features
- Multi-port TLS/SSL scanning with SSLyze
- BSI TR-02102-1/2 compliance validation
- IANA recommendations checking
- Vulnerability detection (Heartbleed, ROBOT, CCS Injection)
- Certificate validation with key size compliance
- Multiple report formats (CSV, Markdown, reStructuredText)
- IANA registry updates from official sources
## Commands
### Scan
```bash
compliance-scan scan <hostname>:<port1>,<port2> [options]
# Examples
compliance-scan scan example.com:443,636 --print
compliance-scan scan [2001:db8::1]:443 -db custom.db
```
Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed.
Options:
- `--print` - Display scan summary in console
- `-db <path>` - Database file path (default: compliance_status.db)
### Report
```bash
compliance-scan report [scan_id] -t <type> [options]
# Examples
compliance-scan report -t md -o report.md
compliance-scan report 5 -t csv --output-dir ./reports
compliance-scan report --list
```
Options:
- `-t <type>` - Report type: csv, md, markdown, rest, rst
- `-o <file>` - Output file for Markdown/reStructuredText
- `--output-dir <dir>` - Output directory for CSV files
- `--list` - List all available scans
- `-db <path>` - Database file path
### Update IANA Data
```bash
compliance-scan update-iana [-db <path>]
# Example
compliance-scan update-iana -db compliance_status.db
```
Updates IANA registry data from official sources. Default database contains IANA data as of 12/2024.
## Report Formats
**CSV**: Granular files per port and category for data analysis.
**Markdown**: Single comprehensive report with all findings.
**reStructuredText**: Sphinx-compatible report with CSV table includes.
## Supported Protocols
**Opportunistic TLS**: SMTP, LDAP, IMAP, POP3, FTP, XMPP, RDP, PostgreSQL
**Direct TLS**: HTTPS, LDAPS, SMTPS, IMAPS, POP3S
**SSH**: SSH (Port 22)
## Compliance Standards
- BSI TR-02102-1: Certificate requirements
- BSI TR-02102-2: TLS cipher suites and parameters
- BSI TR-02102-4: SSH key exchange, encryption, MAC and authentication methods
- IANA TLS Parameters: Cipher suites, signature schemes, supported groups
- IANA SSH Parameters: Key exchange, encryption, MAC and compression algorithms
## Documentation
**[Detailed Guide](docs/detailed-guide.md)** - Complete reference with database schema, compliance rules, and development information.
## Requirements
- Python 3.13+
- Poetry
- SSLyze 6.0.0+
## Database
Default location: `compliance_status.db`
Template with reference data: `src/sslysze_scan/data/crypto_standards.db`
Schema version: 5 (includes optimized views for reporting)
## Development
```bash
# Run tests
poetry run pytest
# Update IANA reference data in template
python3 -m sslysze_scan.iana_parser
```
## Version Management
Version is maintained in `pyproject.toml` and read dynamically at runtime.
Reference in New Issue View Git Blame Copy Permalink