SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers. To learn more about the SSLyze scanner itself visit or SSLyze GitHub.


The SSLyze scanType can be deployed via helm:

helm upgrade --install sslyze secureCodeBox/sslyze

Scanner Configuration

The following security scan configuration example are based on the SSLyze Documentation, please take a look at the original documentation for more configuration examples.

The command line interface can be used to easily run server scans: sslyze --regular

Usage: sslyze [options]{ip} etc...
--version show program's version number and exit
-h, --help show this help message and exit
--regular Regular HTTPS scan; shortcut for --sslv2 --sslv3
--tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 --reneg --resum
--certinfo --hide_rejected_ciphers --compression
--heartbleed --openssl_ccs --fallback --robot
Trust stores options:
Update the default trust stores used by SSLyze. The
latest stores will be downloaded from https://github.c
om/nabla-c0d3/trust_stores_observatory. This option is
meant to be used separately, and will silence any
other command line option supplied to SSLyze.
Client certificate options:
--cert=CERT Client certificate chain filename. The certificates
must be in PEM format and must be sorted starting with
the subject's client certificate, followed by
intermediate CA certificates if applicable.
--key=KEY Client private key filename.
--keyform=KEYFORM Client private key format. DER or PEM (default).
--pass=KEYPASS Client private key passphrase.
Input and output options:
Write the scan results as a JSON document to the file
JSON_FILE. If JSON_FILE is set to "-", the JSON output
will instead be printed to stdout. The resulting JSON
file is a serialized version of the ScanResult objects
described in SSLyze's Python API: the nodes and
attributes will be the same. See
commands.html for more details.
Read the list of targets to scan from the file
TARGETS_IN. It should contain one host:port per line.
--quiet Do not output anything to stdout; useful when using
Connectivity options:
--slow_connection Greatly reduce the number of concurrent connections
initiated by SSLyze. This will make the scans slower
but more reliable if the connection between your host
and the server is slow, or if the server cannot handle
many concurrent connections. Enable this option if you
are getting a lot of timeouts or errors.
Tunnel all traffic to the target server(s) through an
HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
URL: 'http://USER:PW@HOST:PORT/'. For proxies
requiring authentication, only Basic Authentication is
Perform a StartTLS handshake when connecting to the
target server(s). StartTLS should be one of: auto,
smtp, xmpp, xmpp_server, pop3, imap, ftp, ldap, rdp,
postgres. The 'auto' option will cause SSLyze to
deduce the protocol (ftp, imap, etc.) from the
supplied port number, for each target servers.
--xmpp_to=XMPP_TO Optional setting for STARTTLS XMPP. XMPP_TO should be
the hostname to be put in the 'to' attribute of the
XMPP stream. Default is the server's hostname.
--sni=SNI Use Server Name Indication to specify the hostname to
connect to. Will only affect TLS 1.0+ connections.
Scan commands:
--tlsv1_1 Test a server for TLS 1.1 support.
--tlsv1_2 Test a server for TLS 1.2 support.
--robot Test a server for the ROBOT vulnerability.
--reneg Test a server for for insecure TLS renegotiation and
client-initiated renegotiation.
--early_data Test a server for TLS 1.3 early data support.
--fallback Test a server for the TLS_FALLBACK_SCSV mechanism to
prevent downgrade attacks.
--tlsv1_3 Test a server for TLS 1.3 support.
--certinfo Retrieve and analyze a server's certificate(s) to
verify its validity.
Path to a file containing root certificates in PEM
format that will be used to verify the validity of the
server's certificate.
--heartbleed Test a server for the OpenSSL Heartbleed
--resum_rate Measure a server's session resumption rate when
attempting 100 resumptions using session IDs.
--resum Test a server for session resumption support using
session IDs and TLS tickets.
--http_headers Test a server for the presence of security-related
HTTP headers.
--sslv2 Test a server for SSL 2.0 support.
--tlsv1 Test a server for TLS 1.0 support.
--sslv3 Test a server for SSL 3.0 support.
--compression Test a server for TLS compression support, which can
be leveraged to perform a CRIME attack.
--openssl_ccs Test a server for the OpenSSL CCS Injection
vulnerability (CVE-2014-0224).

Chart Configuration

image.repositorystring"nablac0d3/sslyze"Container Image to run the scan
image.tagstring"latest@sha256:ff2c5c626401b1961736a5b2ae6e35a41d213e8b2712102100abf5ee46dcca71"defaults to the charts appVersion
parseJob.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller:
parserImage.repositorystring""Parser image repository
parserImage.tagstringdefaults to the charts versionParser image tag
scannerJob.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see:
scannerJob.envlist[]Optional environment variables mapped into each scanJob (see:
scannerJob.extraContainerslist[]Optional additional Containers started with each scanJob (see:
scannerJob.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see:
scannerJob.extraVolumeslist[]Optional Volumes mapped into each scanJob (see:
scannerJob.resourcesobject{}CPU/memory resource requests/limits (see:,
scannerJob.securityContextobject{}Optional securityContext set on scanner container (see:
scannerJob.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller:


apiVersion: ""
kind: Scan
name: "sslyze-example"
scanType: "sslyze"
- "--regular"
- ""

apiVersion: ""
kind: Scan
name: ""
organization: "secureCodeBox"
scanType: "sslyze"
- "--regular"
- ""


apiVersion: ""
kind: Scan
name: "sslyze-unsafe-https"
organization: "secureCodeBox"
scanType: "sslyze"
- "--regular"
- "unsafe-https"