AgentSkillsCN

tls-scan

扫描仓库,及时发现并修复TLS配置问题与各类安全反模式。

SKILL.md
--- frontmatter
name: tls-scan
description: Scan repositories for TLS configuration issues and security anti-patterns
argument-hint: "[--force] [--mode api|clone] [--no-tracking]"
allowed-tools:
  - Bash(./scripts/tls13-compliance-checker.sh:*)
  - Read

TLS 1.3 Compliance Scanner

Scan GitHub organizations for TLS configuration issues including InsecureSkipVerify, weak TLS versions, and deprecated options.

Arguments: "$ARGUMENTS"

What It Detects

SeverityPatternRisk
CRITICALInsecureSkipVerify: trueMITM attacks - disables certificate verification
HIGHTLS 1.0/1.1 MinVersion/MaxVersionKnown vulnerabilities (POODLE, BEAST)
MEDIUMMaxVersion capped at TLS 1.2Prevents TLS 1.3 negotiation
INFOMinVersion TLS 1.3May break older clients
INFOPreferServerCipherSuitesDeprecated in Go 1.17+

Workflow

Run the TLS compliance checker with any provided options:

bash
./scripts/tls13-compliance-checker.sh $ARGUMENTS

If no arguments provided, run with defaults (clone mode, use cache).

Options

OptionDescription
--force, -fForce refresh, ignore 6-hour cache
--mode apiUse GitHub Code Search API (no cloning, for CI)
--mode cloneClone repos locally and scan with grep (default)
--no-trackingSkip updating the central tracking issue
--help, -hShow detailed help

Usage Examples

code
/tls-scan                    # Run with defaults (clone mode)
/tls-scan --mode api         # Use API mode (no disk needed)
/tls-scan --force            # Force refresh cache
/tls-scan --help             # Show help

Output

  • Real-time progress for each repository
  • Summary by severity level
  • Markdown report: tls13-compliance-report.md
  • Updates tracking issue in telco-bot repo