{"id":13539676,"url":"https://github.com/cisagov/pshtt","last_synced_at":"2025-10-14T14:29:21.365Z","repository":{"id":43290016,"uuid":"62654497","full_name":"cisagov/pshtt","owner":"cisagov","description":"Scan domains and return data based on HTTPS best practices","archived":false,"fork":false,"pushed_at":"2025-10-08T02:16:10.000Z","size":1692,"stargazers_count":687,"open_issues_count":36,"forks_count":83,"subscribers_count":44,"default_branch":"develop","last_synced_at":"2025-10-08T04:13:27.628Z","etag":null,"topics":["cisa-directives","hsts","https","us-federal-government"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cisagov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-07-05T17:02:18.000Z","updated_at":"2025-08-15T23:23:44.000Z","dependencies_parsed_at":"2023-02-08T17:30:23.346Z","dependency_job_id":"ad894d95-fc2d-4651-bed7-94003a31ffdb","html_url":"https://github.com/cisagov/pshtt","commit_stats":{"total_commits":936,"total_committers":40,"mean_commits":23.4,"dds":0.733974358974359,"last_synced_commit":"f980572f19b0a6a9dd09eb78fcc3924f8ef2ebc1"},"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/cisagov/pshtt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2Fpshtt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2Fpshtt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2Fpshtt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2Fpshtt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cisagov","download_url":"https://codeload.github.com/cisagov/pshtt/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2Fpshtt/sbom","scorecard":{"id":283322,"data":{"date":"2025-08-11","repo":{"name":"github.com/cisagov/pshtt","commit":"5f953664251250d42b088596f9dba3fc3e9001f8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.3,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:353","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:437","Info: found token with 'none' permissions: .github/workflows/build.yml:1","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:72","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:211","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:305","Info: found token with 'none' permissions: .github/workflows/codeql-analysis.yml:1","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:70","Info: found token with 'none' permissions: .github/workflows/dependency-review.yml:1","Info: jobLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:61","Info: found token with 'none' permissions: .github/workflows/sync-labels.yml:1","Info: jobLevel 'contents' permission set to 'read': .github/workflows/sync-labels.yml:56","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/dependency-review.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/sync-labels.yml:12","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:465: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:490: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:492: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:495: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:511: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:527: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:154: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:203: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:264: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:266: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:294: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:300: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:312: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:337: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:339: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:343: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:372: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:397: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:399: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:402: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:423: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:428: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/build.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/codeql-analysis.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/dependency-review.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/dependency-review.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/dependency-review.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/dependency-review.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-labels.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/sync-labels.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-labels.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/sync-labels.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-labels.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/sync-labels.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-labels.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/cisagov/pshtt/sync-labels.yml/develop?enable=pin","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:22","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:25","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:28","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:31","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:34","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:37","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:40","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:43","Warn: pipCommand not pinned by hash: gce-scripts/packages_to_install.sh:46","Warn: pipCommand not pinned by hash: setup-env:274","Warn: pipCommand not pinned by hash: setup-env:279","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:196","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:197","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:287","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:288","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:418","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:419","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:520","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:522","Info:   0 out of  23 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  23 third-party GitHubAction dependencies pinned","Info:   0 out of  19 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Creative Commons Zero v1.0 Universal: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/cisagov/.github/SECURITY.md:1","Info: Found linked content: github.com/cisagov/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/cisagov/.github/SECURITY.md:1","Info: Found text in security policy: github.com/cisagov/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":3,"reason":"7 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-29gw-9793-fvw7","Warn: Project is vulnerable to: PYSEC-2015-24 / GHSA-4vwq-x64q-j4cj","Warn: Project is vulnerable to: PYSEC-2017-46 / GHSA-66gw-5xpf-gfp5","Warn: Project is vulnerable to: PYSEC-2015-25 / GHSA-92mr-v722-f48m","Warn: Project is vulnerable to: PYSEC-2022-12 / GHSA-pq7m-3gw7-gq5x","Warn: Project is vulnerable to: PYSEC-2017-47","Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T16:31:52.944Z","repository_id":43290016,"created_at":"2025-08-17T16:31:52.944Z","updated_at":"2025-08-17T16:31:52.944Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279016574,"owners_count":26085850,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cisa-directives","hsts","https","us-federal-government"],"created_at":"2024-08-01T09:01:30.300Z","updated_at":"2025-10-14T14:29:21.348Z","avatar_url":"https://github.com/cisagov.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","Python","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner"],"readme":"# Pushing HTTPS 🔒 #\n\n[![Latest Version](https://img.shields.io/pypi/v/pshtt.svg)](https://pypi.org/project/pshtt/)\n[![GitHub Build Status](https://github.com/cisagov/pshtt/workflows/build/badge.svg)](https://github.com/cisagov/pshtt/actions)\n[![CodeQL](https://github.com/cisagov/pshtt/workflows/CodeQL/badge.svg)](https://github.com/cisagov/pshtt/actions/workflows/codeql-analysis.yml)\n[![Coverage Status](https://coveralls.io/repos/github/cisagov/pshtt/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/pshtt?branch=develop)\n[![Known Vulnerabilities](https://snyk.io/test/github/cisagov/pshtt/develop/badge.svg)](https://snyk.io/test/github/cisagov/pshtt)\n\n`pshtt` (*\"pushed\"*) is a tool to scan domains for HTTPS best\npractices. It saves its results to a CSV (or JSON) file.\n\n`pshtt` was developed to *push* organizations — especially large ones\nlike the US Federal Government :us: — to adopt HTTPS across the\nenterprise. Federal agencies must comply with\n[M-15-13](https://https.cio.gov), a 2015 memorandum from the White\nHouse Office of Management and Budget, and [BOD\n18-01](https://cyber.dhs.gov/bod/18-01/), a 2017 directive from the\nDepartment of Homeland Security, which require federal agencies to\nenforce HTTPS on their public web services. Much has been done, but\nthere's [more yet to\ndo](https://18f.gsa.gov/2017/01/04/tracking-the-us-governments-progress-on-moving-https/).\n\n`pshtt` is a collaboration between the Cyber and Infrastructure\nSecurity Agency's [National Cybersecurity Assessments and Technical\nServices (NCATS) team](https://github.com/cisagov) and [the General\nService Administration's 18F team](https://18f.gsa.gov), with\n[contributions from NASA, Lawrence Livermore National Laboratory, and\nvarious non-governmental\norganizations](https://github.com/cisagov/pshtt/graphs/contributors).\n\n## Getting started ##\n\n`pshtt` can be installed as a module, or run directly from the\nrepository.\n\n### Installed as a module ###\n\n`pshtt` can be installed directly via pip:\n\n```console\npip install pshtt\n```\n\nIt can then be run directly:\n\n```console\npshtt example.com [options]\n```\n\n### Running directly ###\n\nTo run the tool locally from the repository, without installing, first\ninstall the requirements:\n\n```console\npip install -r requirements.txt\n```\n\nThen run it as a module via `python -m`:\n\n```console\npython -m pshtt.cli example.com [options]\n```\n\n### Usage and examples ###\n\n```console\npshtt [options] DOMAIN...\npshtt [options] INPUT\n\npshtt dhs.gov\npshtt --output=homeland.csv --debug dhs.gov us-cert.gov usss.gov\npshtt --sorted current-federal.csv\n```\n\nNote: if INPUT ends with `.csv`, domains will be read from the first\ncolumn of the CSV. CSV output will always be written to disk (unless\n--json is specified), defaulting to `results.csv`.\n\n#### Options ####\n\n```console\n  -h --help                     Show this message.\n  -s --sorted                   Sort output by domain, A-Z.\n  -o --output=OUTFILE           Name output file. (Defaults to \"results\".)\n  -j --json                     Get results in JSON. (Defaults to CSV.)\n  -m --markdown                 Get results in Markdown. (Defaults to CSV.)\n  -d --debug                    Print debug output.\n  -u --user-agent=AGENT         Override user agent.\n  -t --timeout=TIMEOUT          Override timeout (in seconds).\n  -c --cache-third-parties=DIR  Cache third party data, and what directory to cache it in.\n  -f --ca-file=PATH             Specify custom CA bundle (PEM format)\n```\n\n##### Using your own CA bundle #####\n\nBy default, `pshtt` relies on the root CAs that are trusted in the\n[Mozilla root\nstore](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt).\nIf you work behind a corporate proxy or have your own certificates that\naren't publicly trusted, you can specify your own CA bundle:\n\n```console\npshtt --ca-file=/etc/ssl/ca.pem server.internal-location.gov\n```\n\n## What's checked? ##\n\nA domain is checked on its four endpoints:\n\n- `http://`\n- `http://www`\n- `https://`\n- `https://www`\n\n### Domain and redirect info ###\n\nThe following values are returned in `results.csv`:\n\n- `Domain` - The domain you're scanning!\n- `Base Domain` - The base domain of `Domain`. For example, for a\n  Domain of `sub.example.com`, the Base Domain will be\n  `example.com`. Usually this is the second-level domain, but `pshtt`\n  will download and factor in the [Public Suffix\n  List](https://publicsuffix.org) when calculating the base\n  domain. (To cache the Public Suffix List, use `--suffix-cache` as\n  documented above.)\n- `Canonical URL` - One of the four endpoints described above; a\n  judgment call based on the observed redirect logic of the domain.\n- `Live` - The domain is \"live\" if any endpoint is live.\n- `HTTPS Live` - The domain is \"HTTPS live\" if any HTTPS endpoint is\n  live.\n- `HTTPS Full Connection` - The domain is \"fully connected\" if any\n  HTTPS endpoint is fully connected.  A \"fully connected\" HTTPS\n  endpoint is one with which pshtt could make a full TLS connection.\n- `HTTPS Client Auth Required` - A domain requires client\n  authentication if *any* HTTPS endpoint requires it for a full TLS\n  connection.\n- `Redirect` - The domain is a \"redirect domain\" if at least one\n  endpoint is a redirect, and all endpoints are either redirects or\n  down.\n- `Redirect to` - If a domain is a \"redirect domain\", where does it\n  redirect to?\n\n### Landing on HTTPS ###\n\n- `Valid HTTPS` - A domain has \"valid HTTPS\" if it responds on port\n  443 at the hostname in its Canonical URL with an unexpired valid\n  certificate for the hostname. This can be true even if the Canonical\n  URL uses HTTP.\n- `HTTPS Publicly Trusted` - A domain is \"publicly trusted\" if its\n  canonical endpoint has a publicly trusted certificate.\n- `HTTPS Custom Truststore Trusted` - A domain is \"custom truststore\n  trusted\" if its canonical endpoint has a certificate that is trusted\n  by the custom truststore.\n- `Defaults to HTTPS` - A domain \"defaults to HTTPS\" if its canonical\n  endpoint uses HTTPS.\n- `Downgrades HTTPS` - A domain \"downgrades HTTPS\" if HTTPS is\n  supported in some way, but its canonical HTTPS endpoint immediately\n  redirects internally to HTTP.\n- `Strictly Forces HTTPS` - This is different than whether a domain\n  \"defaults\" to HTTPS. A domain \"Strictly Forces HTTPS\" if one of the\n  HTTPS endpoints is \"live\", and if both HTTP endpoints are either\n  down or redirect immediately to any HTTPS URI. An HTTP redirect can\n  go to HTTPS on another domain, as long as it's immediate. (A domain\n  with an invalid cert can still be enforcing HTTPS.)\n\n### Common errors ###\n\n- `HTTPS Bad Chain` - A domain has a bad chain if either HTTPS\n  endpoint contains a bad chain.\n- `HTTPS Bad Hostname` - A domain has a bad hostname if either HTTPS\n  endpoint fails hostname validation.\n- `HTTPS Expired Cert` - A domain has an expired certificate if either\n  HTTPS endpoint has an expired certificate.\n- `HTTPS Self-Signed Cert` - A domain has a self-signed certificate if\n  either HTTPS endpoint has a self-signed certificate.\n- `HTTPS Probably Missing Intermediate Cert` - A domain is \"probably\n  missing intermediate certificate\" if the canonical HTTPS endpoint is\n  probably missing an intermediate certificate.\n\n### HSTS ###\n\n- `HSTS` - A domain has HTTP Strict Transport Security enabled if its\n  canonical HTTPS endpoint has HSTS enabled.\n- `HSTS Header` - This field provides a domain's HSTS header at its\n  canonical endpoint.\n- `HSTS Max Age` - A domain's HSTS max-age is its canonical endpoint's\n  max-age.\n- `HSTS Entire Domain` - A domain has HSTS enabled for the entire\n  domain if its **root HTTPS endpoint** (*not the canonical HTTPS\n  endpoint*) has HSTS enabled and uses the HSTS `includeSubDomains`\n  flag.\n- `HSTS Preload Ready` - A domain is HSTS \"preload ready\" if its\n  **root HTTPS endpoint** (*not the canonical HTTPS endpoint*) has\n  HSTS enabled, has a max-age of at least 18 weeks, and uses the\n  `includeSubDomains` and `preload` flag.\n- `HSTS Preload Pending` - A domain is \"preload pending\" when it\n  appears in the [Chrome preload pending\n  list](https://hstspreload.org/api/v2/pending) with the\n  `include_subdomains` flag equal to `true`.  The intent of `pshtt` is\n  to make sure that the user is *fully* protected, so it only counts\n  domains as HSTS preloaded if they are *fully* HSTS preloaded\n  (meaning that all subdomains are included as well).\n- `HSTS Preloaded` - A domain is HSTS preloaded if its domain name\n  appears in the [Chrome preload\n  list](https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json)\n  with the `include_subdomains` flag equal to `true`, regardless of\n  what header is present on any endpoint.  The intent of `pshtt` is to\n  make sure that the user is *fully* protected, so it only counts\n  domains as HSTS preloaded if they are *fully* HSTS preloaded\n  (meaning that all subdomains are included as well).\n- `Base Domain HSTS Preloaded` - A domain's base domain is HSTS\n  preloaded if its base domain appears in the [Chrome preload\n  list](https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json)\n  with the `include_subdomains` flag equal to `true`. This is subtly\n  different from `HSTS Entire Domain`, which inspects headers on the\n  base domain to see if HSTS is set correctly to encompass the entire\n  zone.\n\n### Scoring ###\n\nThese three fields use the previous results to come to high-level\nconclusions about a domain's behavior.\n\n- `Domain Supports HTTPS` - A domain 'Supports HTTPS' when it doesn't\n  downgrade and has valid HTTPS, or when it doesn't downgrade and has\n  a bad chain but not a bad hostname (a bad hostname makes it clear\n  the domain isn't actively attempting to support HTTPS, whereas an\n  incomplete chain is just a mistake.). Domains with a bad chain\n  \"support\" HTTPS but user-side errors can be expected.\n- `Domain Enforces HTTPS` - A domain that 'Enforces HTTPS' must\n  'Support HTTPS' and default to HTTPS. For websites (where `Redirect`\n  is `false`) they are allowed to *eventually* redirect to an\n  `https://` URI. For \"redirect domains\" (domains where the `Redirect`\n  value is `true`) they must *immediately* redirect clients to an\n  `https://` URI (even if that URI is on another domain) in order to\n  be said to enforce HTTPS.\n- `Domain Uses Strong HSTS` - A domain 'Uses Strong HSTS' when the\n  max-age ≥ 31536000.\n\n### General information ###\n\n- `IP` - The IP for the domain.\n- `Server Header` - The server header from the response for the\n  domain.\n- `Server Version` - The server version, as extracted from the server\n  header.\n- `HTTPS Cert Chain Length` - The certificate chain length for the\n  canonical HTTPS endpoint.\n- `Notes` - A field where free-form notes about the domain can be\n  stored.\n\n### Uncommon errors ###\n\n- `Unknown Error` - A Boolean value indicating whether or not an\n  unexpected exception was encountered when testing the domain.  The\n  purpose of this field is to flag any odd websites for further\n  debugging.\n\n## Troubleshooting ##\n\n### DNS blackhole / DNS assist ###\n\nOne issue which can occur when running `pshtt`, particularly for\nhome/residential networks, with standard ISPs is the use of \"DNS\nAssist\" features, a.k.a. \"DNS Blackholes\".\n\nIn these environments, you may see inconsistent results from `pshtt`\nowing to the fact that your ISP is attempting to detect a request for\nan unknown site without a DNS record and is redirecting you to a\nsearch page for that site. This means that an endpoint which *should*\nresolve as \"not-alive\", will instead resolve as \"live\", owing to the\ndetection of the live search result page.\n\nIf you would like to disable this \"feature\", several ISPs offer the\nability to opt out of this service, and maintain their own\ninstructions for doing so:\n\n- [AT\u0026T](http://www.att.net/dnserrorassist/about/srchTrm=Redirect%20Bin)\n- [FIOS](https://www.verizon.com/support/residential/internet/fiosinternet/troubleshooting/network/questionsone/99147.htm)\n\n## Who uses pshtt? ##\n\n- GSA maintains [Pulse](https://pulse.cio.gov), a dashboard that\n  tracks how federal government domains are meeting best practices on\n  the web. [Pulse is open source](https://github.com/18F/pulse).\n- The Freedom of the Press Foundation runs\n  [securethe.news](https://securethe.news), a site that aims to \"track\n  and promote the adoption of HTTPS encryption by major news\n  organizations' websites\". [Secure the News is open\n  source](https://securethe.news/blog/secure-news-open-source/).\n- DHS issues [HTTPS Reports](https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/)\n  to federal executive branch agencies.\n\n## Acknowledgements ##\n\nThis code was modeled after [Ben\nBalter](https://github.com/benbalter)'s\n[site-inspector](https://github.com/benbalter/site-inspector), with\nsignificant guidance from [Eric Mill](https://github.com/konklone).\n\n## Contributing ##\n\nWe welcome contributions!  Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for\ndetails.\n\n## License ##\n\nThis project is in the worldwide [public domain](LICENSE).\n\nThis project is in the public domain within the United States, and\ncopyright and related rights in the work worldwide are waived through\nthe [CC0 1.0 Universal public domain\ndedication](https://creativecommons.org/publicdomain/zero/1.0/).\n\nAll contributions to this project will be released under the CC0\ndedication. By submitting a pull request, you are agreeing to comply\nwith this waiver of copyright interest.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcisagov%2Fpshtt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcisagov%2Fpshtt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcisagov%2Fpshtt/lists"}