Metadata-Version: 2.4
Name: spl-tls-analyze
Version: 0.4.0b0
Summary: Fast, zero-dependency TLS risk analysis with OCSP revocation detection and structured decisions
License-Expression: MIT
Project-URL: Homepage, https://github.com/Jonah15-sudo/trustlint-cli
Project-URL: Repository, https://github.com/Jonah15-sudo/trustlint-cli
Project-URL: Issues, https://github.com/Jonah15-sudo/trustlint-cli/issues
Project-URL: Documentation, https://github.com/Jonah15-sudo/trustlint-cli#readme
Keywords: tls,ssl,security,certificate,ocsp,risk-analysis,cli,devops,devsecops,network-security
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: Topic :: Security
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: dev
Requires-Dist: pytest>=8.0; extra == "dev"
Provides-Extra: ca-store
Requires-Dist: certifi>=2024.0.0; extra == "ca-store"
Dynamic: license-file

# TrustLint CLI

Fast, zero-dependency TLS risk analysis with OCSP revocation detection (where OCSP URL present in certificate AIA) and structured decisions — powered by **spl-tls-analyze**.

Probes domains for TLS certificate validity, checks OCSP revocation (where available), detects deprecated protocols (TLS 1.0/1.1), and produces ALLOW/REVIEW/DENY decisions across 20 risk categories with 5 severity levels. 3 operating profiles. JSON + Markdown structured output.

Beta software. Use for TLS risk assessment and CI guardrails; not a complete security audit.

## Install

```bash
pip install spl-tls-analyze
```

## Quickstart

```bash
# Analyze a single domain
spl-tls-analyze example.com

# Batch analysis with strict profile, JSON output
spl-tls-analyze domains.txt --profile strict --json-out report.json

# Markdown report with conservative profile
spl-tls-analyze domains.txt --profile conservative --markdown-out report.md
```

## Free 5-Domain Sample Report

TrustLint CLI is **open source and free to run locally** on any number of domains — no limits, no license key required.

The free **5-domain sample report** is a commercial service preview, not a CLI restriction. Submit up to 5 domains you own or are authorized to test, and receive a lightweight preview of what a TrustLint Audit looks like.

> **Important:** This is not a full security audit, penetration test, compliance certification, or security guarantee. It is a preview of the TrustLint Audits service.

**Request a free sample report by opening an [Audit Request issue](https://github.com/Jonah15-sudo/trustlint-cli/issues/new?template=audit_request.md).**

Paid TrustLint Audits are available for full client-ready reports, white-label agency reports, and monthly monitoring.

## What It Detects

| Category | Severity | Real-World Example |
|----------|:--------:|--------------------|
| VALID_TLS | NONE | google.com |
| DEPRECATED_TLS_VERSION | HIGH | tls-v1-1.badssl.com |
| REVOKED_CERT | CRITICAL | revoked.badssl.com |
| EXPIRED_CERT | HIGH | expired.badssl.com |
| SELF_SIGNED_CERT | HIGH | self-signed.badssl.com |
| WRONG_HOST_CERT | CRITICAL | wrong.host.badssl.com |
| UNTRUSTED_CHAIN | HIGH | untrusted-root.badssl.com |
| INCOMPLETE_CHAIN | HIGH | incomplete-chain.badssl.com |
| WEAK_SIGNATURE_ALGORITHM | HIGH | sha1-intermediate.badssl.com |
| WEAK_CIPHER_SUITE | HIGH | rc4.badssl.com |
| STATIC_RSA_KEY_EXCHANGE | MEDIUM | dh2048.badssl.com |
| TLS_COMPRESSION_ENABLED | MEDIUM | (extinct in modern TLS) |
| WILDCARD_CERTIFICATE | LOW | badssl.com |
| MISSING_OCSP_STAPLE | LOW | github.com |
| DNS_FAILURE | MEDIUM | nonexistent.example.com |
| CONNECTION_ERROR | MEDIUM | unreachable host |
| TIMEOUT | MEDIUM | unresponsive server |
| TLS_HANDSHAKE_FAILURE | MEDIUM | dh480.badssl.com |
| OCSP_UNREACHABLE | MEDIUM | unreachable OCSP responder |
| UNKNOWN_SSL_ERROR | LOW | sha1-intermediate.badssl.com |

## Profiles

| Profile | ALLOW Threshold | HIGH Security | Deprecated TLS | Fallback ALLOW | Use Case |
|---------|:-:|:-:|:-:|:-:|----------|
| **balanced** (default) | — | REVIEW | REVIEW | Clean VALID_TLS | General-purpose scanning |
| **conservative** | — | REVIEW | REVIEW | Never | High-sensitivity |
| **strict** | — | DENY | DENY | Never | Security-critical CI |

## Exit Codes

| Code | Meaning |
|------|---------|
| 0 | All domains ALLOW |
| 1 | One or more REVIEW (no DENY) |
| 2 | One or more DENY |
| 3 | All domains errored |
| 4 | Invalid arguments |

## Output Example

```json
{
  "domain": "expired.badssl.com",
  "final": {
    "decision": "DENY",
    "risk": "HIGH",
    "primary_reason": "Security risk (strict profile): RENEW_OR_DENY for EXPIRED_CERT",
    "recommended_action": "Renew or replace the certificate immediately."
  },
  "tls_probe": {
    "classification": "EXPIRED_CERT",
    "tls_version": null,
    "cert_is_expired": true,
    "resolved_ip": "104.154.89.93"
  }
}
```

## TrustLint Audits

TrustLint commercial TLS audit reports are available for teams, freelancers, and web agencies that want a clear, client-ready review of their domains.

**Start free:** [`docs/FREE_SAMPLE_REPORT.md`](docs/FREE_SAMPLE_REPORT.md) — up to 5 domains, service preview.

**Upgrade to paid:** [`docs/COMMERCIAL_AUDITS.md`](docs/COMMERCIAL_AUDITS.md) — client-ready reports, white-label delivery, monthly monitoring, and support.

**See a sample:** [`examples/sample_tls_audit_report.md`](examples/sample_tls_audit_report.md).

## Development

```bash
python -m pytest tests/ -q
python -m build
```

## License

MIT
