Skip to content


Repository files navigation

Test TLS/SSL of arbitrary services and ports


This repo provides docker images for, a free command line tool to check a service on any port for the support of TLS/SSL ciphers, protocols, recent cryptographic flaws, and more. Each image provides everything needed to run the way upstream intends it to be run.

Build status for master branch: Circle CI
Docker image:
Docker source:
Upstream source:

⚠️ The latest tag at quay refers to the stable version.


Pull an already-built image

docker pull

Run the image

You can run the image using the docker-compose.yaml file in this git repo:

# Show help.
docker-compose run testssl --help

# Do a limited scan with a subset of options against one host.
docker-compose run testssl --heartbleed --ip one

You can also run the image with the docker command directly:

--cap-drop     all
--memory       100M
--pids-limit   1000
--cpu-shares   512

docker run ${run_opts} --help

The above examples use --read-only and --cap-drop all as recommended by the CIS Docker Security Benchmarks:

Build and test images locally

⚠️ All build configuration variables are in ci/build.

On a host, such as devenv:

# Optional. Your URL may vary.
export DOCKER_HOST=tcp://

# Build images.

# Run the tests.

Note: The test harness requires Python and the pip command.

View labels

Each built image has labels that generally follow

We add a label, ci-build-url, that is not currently part of the schema. This extra label provides a permanent link to the CI build for the image.

View the ci-build-url label on a built image:

docker inspect \
  -f '{{ index .Config.Labels "" }}' \

Query all the labels inside a built image:

docker inspect | jq -M '.[].Config.Labels'


Fork this repo and see

⚠️ All build configuration variables are in ci/build.

About the build

ci/build uses docker-compose to create a "base" image that contains the statically-linked version of openssl from From the common base, ci/build creates two runtime images:

  • stable version of the script
  • dev version of the script

When the build happens against the master branch on CircleCI, the ci/publish script pushes both the stable and dev images to It also pushes a "latest" tag, which refers to the stable version.

Stale tags

Old images tend to have vulnerabilities.
Quay has a feature to use a special label, quay.expires-after, to expire tags. This repo applies the label to images so that old images get deleted automatically.

See for more information about the Quay feature.
See src/Dockerfile for the current value of the label.

⚠️ This is a Quay feature, not a docker feature.

Operational status of SaaS providers


Quay registry:


This repo, testssl, and openssl are licensed under the GPLv2. See LICENSE.