{"id":34901298,"url":"https://github.com/csnp/qramm-tls-analyzer","last_synced_at":"2026-01-13T20:59:05.555Z","repository":{"id":330535962,"uuid":"1123009125","full_name":"csnp/qramm-tls-analyzer","owner":"csnp","description":"TLS/SSL security analyzer for quantum readiness assessment and CNSA 2.0 compliance","archived":false,"fork":false,"pushed_at":"2026-01-01T04:35:57.000Z","size":117,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-05T22:31:11.196Z","etag":null,"topics":["cbom","cnsa","cryptography","golang","post-quantum-cryptography","pqc","quantum-computing","security","security-scanner","ssl","tls"],"latest_commit_sha":null,"homepage":"https://qramm.org","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csnp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-26T02:43:11.000Z","updated_at":"2026-01-01T04:36:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/csnp/qramm-tls-analyzer","commit_stats":null,"previous_names":["csnp/qramm-tls-analyzer"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/csnp/qramm-tls-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-tls-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-tls-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-tls-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-tls-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csnp","download_url":"https://codeload.github.com/csnp/qramm-tls-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-tls-analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28400345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cbom","cnsa","cryptography","golang","post-quantum-cryptography","pqc","quantum-computing","security","security-scanner","ssl","tls"],"created_at":"2025-12-26T08:53:55.344Z","updated_at":"2026-01-13T20:59:05.550Z","avatar_url":"https://github.com/csnp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eQRAMM TLS Analyzer\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eQuantum-Ready TLS Security Assessment Tool\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/csnp/qramm-tls-analyzer/actions\"\u003e\u003cimg src=\"https://github.com/csnp/qramm-tls-analyzer/workflows/CI/badge.svg\" alt=\"CI Status\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/csnp/qramm-tls-analyzer\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/csnp/qramm-tls-analyzer?v=2\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pkg.go.dev/github.com/csnp/qramm-tls-analyzer\"\u003e\u003cimg src=\"https://pkg.go.dev/badge/github.com/csnp/qramm-tls-analyzer.svg\" alt=\"Go Reference\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#output-formats\"\u003eOutput Formats\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#policies\"\u003ePolicies\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## Overview\n\n**QRAMM TLS Analyzer** is an open-source command-line tool that performs comprehensive TLS security analysis with a focus on **post-quantum cryptography (PQC) readiness**. As quantum computing advances, organizations must prepare their cryptographic infrastructure for the post-quantum era. This tool helps you understand your current TLS posture and provides actionable guidance for CNSA 2.0 compliance.\n\nPart of the [QRAMM (Quantum Readiness Assurance Maturity Model)](https://qramm.org) toolkit, developed by the [Cyber Security Non-Profit (CSNP)](https://csnp.org).\n\n\u003e **⚠️ Responsible Use Warning**\n\u003e\n\u003e This tool performs active network connections to analyze TLS configurations. **Only scan systems and domains you own or have explicit written authorization to test.** Unauthorized scanning may violate laws and regulations in your jurisdiction. The authors assume no liability for misuse of this tool.\n\n### Why Quantum Readiness Matters\n\n- **Harvest Now, Decrypt Later (HNDL)**: Adversaries are collecting encrypted data today to decrypt once quantum computers become available\n- **CNSA 2.0 Deadlines**: NSA's timeline requires hybrid PQC for new systems by 2027 and full transition by 2035\n- **Long Migration Cycles**: Cryptographic migrations typically take 5-10 years to complete\n- **Regulatory Pressure**: Government agencies and regulated industries must demonstrate quantum readiness\n\n## Quick Start\n\n### Option 1: Build from Source\n\nRequires Go 1.23+ ([install Go](https://go.dev/doc/install))\n\nCopy and paste this entire block:\n\n```bash\ngit clone https://github.com/csnp/qramm-tls-analyzer.git\ncd qramm-tls-analyzer\ngo build -o tlsanalyzer ./cmd/tlsanalyzer\nsudo mv tlsanalyzer /usr/local/bin/\ncd ..\ntlsanalyzer --version\n```\n\n### Option 2: Download Binary\n\nDownload pre-built binaries from [Releases](https://github.com/csnp/qramm-tls-analyzer/releases).\n\n### Run Your First Scan\n\n```bash\n# Scan a domain you own or have permission to test\ntlsanalyzer yourdomain.com\n```\n\nExpected output: Security grade, quantum risk score, CNSA 2.0 timeline.\n\n## Features\n\n### Security Analysis\n\n| Feature | Description |\n|---------|-------------|\n| **Protocol Analysis** | TLS 1.0, 1.1, 1.2, 1.3 version detection with deprecation warnings |\n| **Cipher Suite Evaluation** | Strength assessment, forward secrecy verification, weak algorithm detection |\n| **Certificate Analysis** | Validity, chain verification, key strength, signature algorithm assessment |\n| **Vulnerability Detection** | BEAST, POODLE, weak ciphers, expired certificates, and more |\n\n### Quantum Readiness\n\n| Feature | Description |\n|---------|-------------|\n| **Quantum Risk Scoring** | 0-100 score indicating quantum vulnerability |\n| **PQC Detection** | ML-KEM, ML-DSA, SLH-DSA, and hybrid key exchange detection |\n| **HNDL Risk Assessment** | Evaluate exposure to harvest-now-decrypt-later attacks |\n| **CNSA 2.0 Timeline** | Track compliance against NSA's post-quantum migration deadlines |\n\n### Compliance \u0026 Reporting\n\n| Feature | Description |\n|---------|-------------|\n| **Policy-as-Code** | Built-in and custom YAML policies for automated compliance checking |\n| **CNSA 2.0 Timeline Tracking** | Milestones for 2025, 2027, 2030, 2033, 2035 |\n| **Multiple Output Formats** | Text, JSON, SARIF, CycloneDX CBOM, HTML |\n| **Batch Scanning** | Scan multiple targets with concurrency control |\n\n## Usage\n\n### Output Formats\n\n```bash\n./tlsanalyzer yourdomain.com                              # Human-readable text (default)\n./tlsanalyzer yourdomain.com --format json                # JSON output\n./tlsanalyzer yourdomain.com --format html -o report.html # Standalone HTML report\n./tlsanalyzer yourdomain.com --format cbom -o cbom.json   # CycloneDX CBOM\n./tlsanalyzer yourdomain.com --format sarif -o scan.sarif # SARIF for GitHub Security\n```\n\n### Policy Evaluation\n\n```bash\n./tlsanalyzer policies                                    # List available policies\n./tlsanalyzer yourdomain.com --policy cnsa-2.0-2027       # CNSA 2.0 compliance check\n./tlsanalyzer yourdomain.com --policy-file custom.yaml    # Custom policy file\n```\n\n### Batch Scanning\n\n```bash\n# Create targets file\necho \"api.yourdomain.com\nweb.yourdomain.com\nauth.yourdomain.com\" \u003e targets.txt\n\n# Scan all targets\n./tlsanalyzer --targets targets.txt --format html -o report.html\n```\n\n### More Options\n\n```bash\n./tlsanalyzer yourdomain.com:8443                         # Custom port\n./tlsanalyzer 192.168.1.1 --sni yourdomain.com            # Custom SNI\n./tlsanalyzer yourdomain.com --timeout 60                 # Custom timeout\n./tlsanalyzer yourdomain.com --skip-vulns                 # Skip vulnerability checks\n./tlsanalyzer yourdomain.com --skip-quantum               # Skip quantum assessment\n```\n\n## Example Output\n\nSample terminal output:\n\n```\n═══════════════════════════════════════════════════════════════\n  QRAMM TLS Analyzer - Quantum-Ready Security Assessment\n═══════════════════════════════════════════════════════════════\n\n  Target: example.com\n  IP: 93.184.216.34\n  Scanned: 2025-01-15 10:30:00 UTC\n\n───────────────────────────────────────────────────────────────\n  OVERALL GRADE\n───────────────────────────────────────────────────────────────\n\n  TLS Security:     B    (78/100)\n  Quantum Ready:    QV\n\n  Score Breakdown:\n    Protocol Support     [████████████████░░░░] 20/25\n    Cipher Strength      [████████████████████] 25/25\n    Certificate          [████████████████████] 25/25\n    Quantum Readiness    [░░░░░░░░░░░░░░░░░░░░] 0/25\n\n───────────────────────────────────────────────────────────────\n  POLICY EVALUATION\n───────────────────────────────────────────────────────────────\n\n    Policy:     cnsa-2.0-2027\n    Status:     ✗ NON-COMPLIANT\n    Score:      10/100\n\n    Violations (4)\n      • [CRITICAL] Required key exchange algorithm not found\n        Expected: X25519MLKEM768 or SecP384r1MLKEM1024\n\n───────────────────────────────────────────────────────────────\n  CNSA 2.0 COMPLIANCE TIMELINE\n───────────────────────────────────────────────────────────────\n\n    Current Phase:      Preparation Phase\n    Timeline Score:     54/100\n    Days to Deadline:   371\n    Next Action:        Enable hybrid PQC key exchange\n\n    Milestones:\n      ○ Preparation Phase (2025-12-31)\n      ✗ New NSS Systems (2027-01-01)\n         └─ ML-KEM key exchange not detected\n      ◐ TLS 1.3 Required (2030-01-02)\n      — Legacy System Update (2033-01-01)\n      — Full PQC Transition (2035-01-01)\n```\n\nOther formats: `--format json` for automation, `--format cbom` for [CycloneDX CBOM](https://cyclonedx.org/capabilities/cbom/), `--format html` for shareable reports, `--format sarif` for GitHub Security.\n\n## Policies\n\n| Policy | Description |\n|--------|-------------|\n| `modern` | Modern TLS configuration for 2024+ |\n| `strict` | Strict TLS 1.3-only configuration |\n| `cnsa-2.0-2027` | CNSA 2.0 for new NSS systems (2027 deadline) |\n| `cnsa-2.0-2030` | CNSA 2.0 with TLS 1.3 required |\n| `cnsa-2.0-2035` | CNSA 2.0 full PQC transition |\n\nCustom policies can be created in YAML format. See [docs/policies.md](docs/policies.md) for details.\n\n## CNSA 2.0 Timeline\n\nThe tool tracks compliance against NSA's Commercial National Security Algorithm Suite 2.0 timeline:\n\n| Milestone | Deadline | Requirements |\n|-----------|----------|--------------|\n| **Preparation Phase** | Dec 2025 | Begin PQC integration planning, inventory cryptographic assets |\n| **New NSS Systems** | Jan 2027 | ML-KEM for key exchange, ML-DSA/SLH-DSA for signatures, AES-256, SHA-384+ |\n| **TLS 1.3 Required** | Jan 2030 | TLS 1.3 mandatory, hybrid PQC required, RSA/ECDH no longer acceptable |\n| **Legacy System Update** | Jan 2033 | Complete migration of all existing systems, PQC certificates deployed |\n| **Full PQC Transition** | Jan 2035 | Pure PQC (no hybrid required), classical algorithms fully retired |\n\n### Algorithm Classification\n\n| Status | Description | Examples |\n|--------|-------------|----------|\n| **Approved** | CNSA 2.0 approved | ML-KEM-768, ML-KEM-1024, ML-DSA-65, ML-DSA-87, SLH-DSA, AES-256, SHA-384, SHA-512 |\n| **Transitional** | Allowed until deadline | RSA-3072, RSA-4096, ECDSA-P384, ECDH-P384, X25519 (hybrid only), SHA-256 |\n| **Deprecated** | Phase out immediately | RSA-2048, ECDSA-P256, ECDH-P256 |\n| **Prohibited** | Never use | 3DES, RC4, SHA-1, MD5 |\n\n## Grading System\n\n### TLS Security Grade\n\n| Grade | Score | Description |\n|-------|-------|-------------|\n| **A+** | 95-100 | Exceptional security with quantum readiness |\n| **A** | 85-94 | Excellent configuration |\n| **B** | 70-84 | Good with minor improvements needed |\n| **C** | 55-69 | Adequate but significant improvements recommended |\n| **D** | 40-54 | Poor configuration, security issues present |\n| **F** | 0-39 | Failing, critical vulnerabilities |\n\n### Quantum Readiness Grade\n\n| Grade | Description |\n|-------|-------------|\n| **Q+** | Full PQC ready (ML-KEM key exchange + ML-DSA certificates) |\n| **Q** | Hybrid PQC key exchange enabled |\n| **Q-** | Partially quantum-ready |\n| **QV** | Quantum vulnerable (classical cryptography only) |\n\n## CLI Reference\n\n```\nUSAGE:\n  tlsanalyzer [target] [flags]\n  tlsanalyzer [command]\n\nCOMMANDS:\n  policies    List available security policies\n  version     Print version information\n\nFLAGS:\n  -f, --format string      Output format: text, json, sarif, cbom, html (default \"text\")\n  -o, --output string      Output file (default: stdout)\n  -t, --timeout int        Connection timeout in seconds (default 30)\n  -p, --port int           Target port (default 443)\n      --sni string         Server Name Indication (SNI)\n      --no-color           Disable colored output\n      --compact            Compact JSON output\n      --skip-vulns         Skip vulnerability checks\n      --skip-quantum       Skip quantum risk assessment\n      --skip-cnsa2         Skip CNSA 2.0 compliance analysis\n      --policy string      Apply a security policy\n      --policy-file string Path to custom policy YAML file\n      --targets string     File containing list of targets\n  -c, --concurrency int    Concurrent scans for batch mode (default 10)\n  -h, --help              Help for tlsanalyzer\n```\n\n## CI/CD Integration\n\nSee [docs/ci-cd-integration.md](docs/ci-cd-integration.md) for GitHub Actions, GitLab CI, Jenkins, and Azure DevOps examples.\n\n## Architecture\n\n```\nqramm-tls-analyzer/\n├── cmd/\n│   └── tlsanalyzer/\n│       └── main.go           # CLI entry point, flag parsing, batch scanning\n├── internal/\n│   ├── analyzer/\n│   │   ├── cnsa2.go          # CNSA 2.0 compliance analysis\n│   │   └── policy.go         # Policy-as-code evaluation\n│   ├── reporter/\n│   │   ├── cbom.go           # CycloneDX CBOM output\n│   │   ├── html.go           # HTML report generation\n│   │   ├── json.go           # JSON output\n│   │   ├── sarif.go          # SARIF output\n│   │   └── text.go           # Terminal output with colors\n│   └── scanner/\n│       ├── scanner.go        # Core TLS scanning logic\n│       ├── quantum.go        # PQC risk assessment\n│       ├── vulnerabilities.go # Vulnerability detection\n│       ├── grade.go          # Grading system\n│       └── recommendations.go # Actionable recommendations\n└── pkg/\n    └── types/\n        ├── result.go         # Scan result types\n        ├── policy.go         # Policy definitions\n        ├── cbom.go           # CycloneDX CBOM types\n        └── compliance.go     # Compliance framework types\n```\n\n## About QRAMM\n\n**QRAMM (Quantum Readiness Assurance Maturity Model)** is an evidence-based framework designed to help enterprises systematically prepare for the quantum computing threat to current cryptographic systems. QRAMM provides structured evaluation across quantum readiness dimensions.\n\nVisit [qramm.org](https://qramm.org) to learn more about:\n- Quantum readiness assessment\n- Migration planning resources\n- Implementation guidance\n- Industry benchmarks\n\n### QRAMM Toolkit\n\nThis analyzer is part of the QRAMM open-source toolkit:\n\n| Tool | Description |\n|------|-------------|\n| **TLS Analyzer** | TLS/SSL configuration analysis with quantum readiness (this tool) |\n| **[CryptoScan](https://github.com/csnp/qramm-cryptoscan)** | Cryptographic discovery scanner for codebases |\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.\n\n## References\n\n- [NSA CNSA 2.0 Guidance](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF) - Commercial National Security Algorithm Suite 2.0\n- [NIST Post-Quantum Cryptography](https://csrc.nist.gov/projects/post-quantum-cryptography) - PQC Standardization\n- [FIPS 203: ML-KEM](https://csrc.nist.gov/publications/detail/fips/203/final) - Module-Lattice Key Encapsulation\n- [FIPS 204: ML-DSA](https://csrc.nist.gov/publications/detail/fips/204/final) - Module-Lattice Digital Signatures\n- [FIPS 205: SLH-DSA](https://csrc.nist.gov/publications/detail/fips/205/final) - Stateless Hash-Based Digital Signatures\n- [RFC 8446: TLS 1.3](https://datatracker.ietf.org/doc/rfc8446/) - Transport Layer Security 1.3\n- [RFC 8996: Deprecating TLS 1.0 and 1.1](https://datatracker.ietf.org/doc/rfc8996/)\n- [CycloneDX CBOM](https://cyclonedx.org/capabilities/cbom/) - Cryptographic Bill of Materials\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Acknowledgments\n\n- NSA's CNSA 2.0 guidance for post-quantum cryptography standards\n- NIST for PQC algorithm standardization (ML-KEM, ML-DSA, SLH-DSA)\n- The Go team for excellent TLS library support\n- CycloneDX for the CBOM specification\n- Our amazing contributors and the open-source community\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eBuilt with purpose by \u003ca href=\"https://csnp.org\"\u003eCSNP\u003c/a\u003e\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://qramm.org\"\u003eQRAMM\u003c/a\u003e \u0026bull;\n  \u003ca href=\"https://csnp.org\"\u003eCSNP\u003c/a\u003e \u0026bull;\n  \u003ca href=\"https://github.com/csnp/qramm-tls-analyzer/issues\"\u003eReport Bug\u003c/a\u003e \u0026bull;\n  \u003ca href=\"https://github.com/csnp/qramm-tls-analyzer/issues\"\u003eRequest Feature\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-tls-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsnp%2Fqramm-tls-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-tls-analyzer/lists"}