Test TLS/SSL of arbitrary services and ports

• Overview
• How-To
  • Pull an already-built image
  • Run the image
  • Build and test images locally
  • View labels
  • Contribute
• About the build
• Stale tags
• Operational status of SaaS providers
• License

Overview

This repo provides docker images for testssl.sh, a free command line tool to check a service on any port for the support of TLS/SSL ciphers, protocols, recent cryptographic flaws, and more. Each image provides everything needed to run testssl.sh the way upstream intends it to be run.

Build status for master branch:
Docker image: https://quay.io/repository/jumanjiman/testssl
Docker source: https://github.com/jumanjihouse/docker-testssl
Upstream source: https://github.com/drwetter/testssl.sh

⚠️ The latest tag at quay refers to the stable version.

How-To

Pull an already-built image

docker pull quay.io/jumanjiman/testssl

Run the image

You can run the image using the docker-compose.yaml file in this git repo:

# Show help.
docker-compose run testssl --help

# Do a limited scan with a subset of options against one host.
docker-compose run testssl --heartbleed --ip one https://www.google.com/

You can also run the image with the docker command directly:

run_opts="
-i
-t
--rm
--read-only
--cap-drop     all
--memory       100M
--pids-limit   1000
--cpu-shares   512
"

docker run ${run_opts} quay.io/jumanjiman/testssl --help

The above examples use --read-only and --cap-drop all as recommended by the CIS Docker Security Benchmarks:

• CIS Security Benchmark for Docker 1.6
• CIS Security Benchmark for Docker 1.11
• CIS Security Benchmark for Docker 1.12
• CIS Security Benchmark for Docker 1.13

Build and test images locally

⚠️ All build configuration variables are in ci/build.

On a host, such as devenv:

# Optional. Your URL may vary.
export DOCKER_HOST=tcp://192.168.254.162:2375

# Build images.
ci/build

# Run the tests.
ci/test

Note: The test harness requires Python and the pip command.

View labels

Each built image has labels that generally follow http://label-schema.org/

We add a label, ci-build-url, that is not currently part of the schema. This extra label provides a permanent link to the CI build for the image.

View the ci-build-url label on a built image:

docker inspect \
  -f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
  quay.io/jumanjiman/testssl

Query all the labels inside a built image:

docker inspect quay.io/jumanjiman/testssl | jq -M '.[].Config.Labels'

Contribute

Fork this repo and see CONTRIBUTING.md.

⚠️ All build configuration variables are in ci/build.

About the build

ci/build uses docker-compose to create a "base" image that contains the statically-linked version of openssl from https://testssl.sh/. From the common base, ci/build creates two runtime images:

• stable version of the testssl.sh script
• dev version of the testssl.sh script

When the build happens against the master branch on CircleCI, the ci/publish script pushes both the stable and dev images to Quay.io. It also pushes a "latest" tag, which refers to the stable version.

Stale tags

Old images tend to have vulnerabilities.
Quay has a feature to use a special label, quay.expires-after, to expire tags. This repo applies the label to images so that old images get deleted automatically.

See https://support.coreos.com/hc/en-us/articles/115001384693-Tag-Expiration for more information about the Quay feature.
See src/Dockerfile for the current value of the label.

⚠️ This is a Quay feature, not a docker feature.

Operational status of SaaS providers

CircleCI: http://status.circleci.com/

Quay registry: http://status.quay.io/

License

This repo, testssl, and openssl are licensed under the GPLv2. See LICENSE.