SSL Labs Scan Share Help

Command-line client for the Qualys SSL Labs API that grades the SSL/TLS configuration of any public HTTPS host.

Category

Security

License

Apache 2

Platforms

Windows macOS Linux

Released

2014

Path

c:\ssllabs\ssllabs-scan.exe

Benefits

Returns the same A+ through F grade and detailed cipher/protocol breakdown shown on ssllabs.com, but in machine-readable JSON for CI pipelines and bulk audits. Single static binary with no dependencies. Built-in caching avoids re-scanning the same host within a configurable window.

Notes

Scans run against the public Qualys SSL Labs API and are subject to its rate limits and terms of use; only public hostnames reachable from the internet can be assessed. A single host scan typically takes 60-120 seconds. Use -hostfile to scan many hosts in one run, -grade for terse output, or -usecache to reuse recent results. Repository receives infrequent updates but the API remains the canonical SSL/TLS assessment service.

Used by

Qualys, security teams running TLS audits, CI pipelines verifying certificate deployments

# SSL Labs Scan - Help

Source: https://github.com/ssllabs/ssllabs-scan

```
Usage of ssllabs-scan.exe:
  -api string
    	API entry point, for example https://www.example.com/api/ (default "BUILTIN")
  -grade
    	Output only the hostname: grade
  -hostcheck
    	If true, host resolution failure will result in a fatal error.
  -hostfile string
    	File containing hosts to scan (one per line)
  -ignore-mismatch
    	If true, certificate hostname mismatch does not stop assessment.
  -insecure
    	Skip certificate validation. For use in development only. Do not use.
  -json-flat
    	Output results in flattened JSON format
  -maxage int
    	Maximum acceptable age of cached results, in hours. A zero value is ignored.
  -quiet
    	Disable status messages (logging)
  -usecache
    	If true, accept cached results (if available), else force live scan.
  -verbosity string
    	Configure log verbosity: error, notice, info, debug, or trace. (default "info")
  -version
    	Print version and API location information and exit
```

## Typical invocations

Scan a single host (full JSON report to stdout):

```
ssllabs-scan example.com
```

Just the grade (host:grade):

```
ssllabs-scan -grade example.com
```

Bulk scan from a file of hostnames:

```
ssllabs-scan -hostfile hosts.txt -quiet
```

Use cached results (within the last 24h) instead of forcing a live scan:

```
ssllabs-scan -usecache -maxage 24 example.com
```

## Notes

- A typical single-host scan takes 60-120 seconds because the public Qualys SSL
  Labs API actively probes the target's TLS endpoints.
- Subject to the SSL Labs API terms of use and rate limits
  (<https://www.ssllabs.com/about/terms.html>).
- Only public, internet-reachable hostnames can be scanned.
```