Skip to content

Instantly share code, notes, and snippets.

@barthez-kenwou
Created June 19, 2026 15:11
Show Gist options
  • Select an option

  • Save barthez-kenwou/d97d9529ca5c5f9d0bf8b78ccf07084b to your computer and use it in GitHub Desktop.

Select an option

Save barthez-kenwou/d97d9529ca5c5f9d0bf8b78ccf07084b to your computer and use it in GitHub Desktop.
TLS Security Analyzer

TLS Security Analyzer

Overview

Transport Layer Security (TLS) is the foundation of secure communication on the Internet.

Misconfigured TLS services can expose organizations to:

  • Man-in-the-Middle attacks
  • Weak encryption
  • Expired certificates
  • Compliance violations
  • Service disruptions

This tool performs a complete TLS assessment of a domain and generates a security report suitable for DevOps, DevSecOps, SRE, and Security Engineers.


Features

  • Certificate validation
  • Expiration monitoring
  • TLS version detection
  • Cipher inspection
  • Subject Alternative Names (SAN)
  • Issuer verification
  • Security scoring
  • CI/CD integration
  • Compliance-friendly reporting
  • Lightweight Bash implementation

Security Checks

The analyzer verifies:

  • Certificate validity
  • Expiration date
  • Remaining validity period
  • Issuer information
  • Subject information
  • TLS versions
  • Cipher suites
  • Certificate chain
  • Hostname validation

Project Structure

tls-analyzer/

├── tls-analyzer.sh

├── reports/
│   └── tls-report.txt

└── README.md

Main Script

tls-analyzer.sh

#!/usr/bin/env bash

##########################################################
# TLS Security Analyzer
#
# Author: DevSecOps Community
#
# Features:
# - Certificate validation
# - Expiration check
# - TLS protocol detection
# - Cipher inspection
# - Security score
##########################################################

set -e

DOMAIN="$1"

if [ -z "$DOMAIN" ]; then
    echo "Usage:"
    echo "./tls-analyzer.sh domain.com"
    exit 1
fi

REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/tls-report.txt"

mkdir -p "$REPORT_DIR"

> "$REPORT_FILE"

SCORE=100

echo "========================================"
echo "TLS Security Analyzer"
echo "========================================"
echo ""

echo "Target Domain : $DOMAIN"
echo ""

echo "TLS Report - $(date)" >> "$REPORT_FILE"

Certificate Retrieval

CERT=$(openssl s_client \
    -connect "${DOMAIN}:443" \
    -servername "$DOMAIN" \
    < /dev/null 2>/dev/null)

Certificate Information

echo "$CERT" | openssl x509 -noout -subject

Example:

subject=CN=example.com

Issuer Information

echo "$CERT" | openssl x509 -noout -issuer

Example:

issuer=Let's Encrypt

Expiration Date

EXPIRY_DATE=$(echo "$CERT" \
    | openssl x509 -noout -enddate \
    | cut -d= -f2)

Example:

Aug 15 23:59:59 2026 GMT

Remaining Validity

EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)

NOW=$(date +%s)

DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW) / 86400 ))

Expiration Validation

if [ "$DAYS_LEFT" -lt 30 ]; then

    SCORE=$((SCORE - 20))

    echo "[WARNING] Certificate expires soon."
fi

TLS Version Detection

TLS 1.2

openssl s_client \
    -tls1_2 \
    -connect "${DOMAIN}:443"

TLS 1.3

openssl s_client \
    -tls1_3 \
    -connect "${DOMAIN}:443"

Weak TLS Detection

if openssl s_client \
    -tls1 \
    -connect "${DOMAIN}:443" \
    < /dev/null > /dev/null 2>&1
then

    SCORE=$((SCORE - 30))

    echo "[WARNING] TLS 1.0 enabled."
fi

Cipher Inspection

echo "$CERT" \
| openssl x509 -text -noout

Useful for auditing:

  • RSA
  • ECDSA
  • SHA256
  • SHA384
  • Key Length

SAN Verification

echo "$CERT" \
| openssl x509 -text -noout \
| grep -A1 "Subject Alternative Name"

Example:

DNS:example.com
DNS:www.example.com

Security Score Calculation

echo ""
echo "Security Score: $SCORE / 100"

Suggested scoring:

Score Rating
90-100 Excellent
80-89 Good
60-79 Moderate
<60 Weak

Final Assessment

if [ "$SCORE" -ge 90 ]; then

    echo "Rating: Excellent"

elif [ "$SCORE" -ge 80 ]; then

    echo "Rating: Good"

elif [ "$SCORE" -ge 60 ]; then

    echo "Rating: Moderate"

else

    echo "Rating: Weak"

fi

Example Output

========================================
TLS Security Analyzer
========================================

Target Domain : example.com

Certificate Subject:
CN=example.com

Issuer:
Let's Encrypt

Days Remaining:
74

TLS 1.2 Supported
TLS 1.3 Supported

Security Score:
100 / 100

Rating:
Excellent

CI/CD Integration

GitHub Actions

name: TLS Verification

on:
  schedule:
    - cron: '0 7 * * *'

jobs:

  tls-check:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - run: |
          chmod +x tls-analyzer.sh
          ./tls-analyzer.sh example.com

Security Benefits

This analyzer helps identify:

  • Expired certificates
  • Weak TLS versions
  • Misconfigured certificates
  • Compliance issues
  • Weak cryptographic configurations

before they impact users.


Compliance Mapping

Useful for:

  • ISO 27001
  • SOC 2
  • PCI DSS
  • CIS Controls
  • NIST Cybersecurity Framework

Recommended Enterprise Tools

This script complements:

  • OpenSSL
  • SSL Labs
  • testssl.sh
  • Qualys SSL Scanner
  • Nessus
  • OpenVAS
  • Nmap NSE SSL Scripts

Future Enhancements

Potential improvements:

  • HTML reports
  • JSON export
  • Slack alerts
  • Teams notifications
  • Certificate transparency checks
  • OCSP validation
  • HSTS validation
  • HTTP Security Headers Audit
  • Multi-domain scanning

Enterprise Version Roadmap

Future enterprise capabilities:

  • Bulk domain scanning
  • TLS inventory management
  • Certificate expiration monitoring
  • Automatic ticket creation
  • Compliance dashboards
  • Grafana integration
  • Prometheus metrics export
  • Slack and Email alerting

Final Thoughts

TLS is one of the most critical security controls protecting modern applications and infrastructure.

Regular TLS assessments help identify certificate issues, weak cryptographic configurations, and compliance gaps before they become operational or security incidents.

Automating TLS verification should be part of every mature DevSecOps and infrastructure security program.

#!/usr/bin/env bash
##########################################################
# TLS Security Analyzer
#
# Author: DevSecOps Community
#
# Features:
# - Certificate validation
# - Expiration check
# - TLS protocol detection
# - Cipher inspection
# - Security score
##########################################################
set -e
DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
echo "Usage:"
echo "./tls-analyzer.sh domain.com"
exit 1
fi
REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/tls-report.txt"
mkdir -p "$REPORT_DIR"
> "$REPORT_FILE"
SCORE=100
echo "========================================"
echo "TLS Security Analyzer"
echo "========================================"
echo ""
echo "Target Domain : $DOMAIN"
echo ""
echo "TLS Report - $(date)" >> "$REPORT_FILE"
name: TLS Verification
on:
schedule:
- cron: '0 7 * * *'
jobs:
tls-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
chmod +x tls-analyzer.sh
./tls-analyzer.sh example.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment