From testssl-inspector
Interpret testssl-inspector normalized findings, recommend remediations, and tie evidence back to SCF anchor controls plus SOC 2 / NIST 800-53 r5 / PCI DSS 4.0.1 / ISO 27002:2022 equivalents derived from SCF crosswalks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/testssl-inspector:testssl-inspector-expertThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when reviewing findings produced by `/testssl-inspector:scan`. The connector wraps `testssl.sh` and emits v1 Findings against `tls_endpoint` resources; this skill translates those into remediation advice an engineer can act on and audit evidence a reviewer can sign off.
Use this skill when reviewing findings produced by /testssl-inspector:scan. The connector wraps testssl.sh and emits v1 Findings against tls_endpoint resources; this skill translates those into remediation advice an engineer can act on and audit evidence a reviewer can sign off.
Findings live at ~/.cache/claude-grc/findings/testssl-inspector/<run_id>.json. Each document covers one TLS endpoint:
resource.type = "tls_endpoint", resource.id = "<host>:<port>", resource.uri = "https://<host>:<port>/"evaluations[] — one entry per (control_framework, control_id, testssl finding) tuplefindings[] — narrative roll-up for CVEs and critical results (cap 50 per doc)metadata.target, metadata.host, metadata.port — the original inputMost fails fall into one of five families. The remediation pattern is the same within each family.
IDs: SSLv2, SSLv3, TLS1, TLS1_1. SCF anchors: CRY-01 (Use of Cryptographic Controls), CRY-03 (Transmission of Sensitive Data), NET-09 (Session Authenticity). SCF crosswalk fans these out at scan time — typical resolved targets include NIST SC-08, SC-08(01), SC-08(02), SC-13, SC-23, SI-07(06); SOC 2 CC6.1, CC6.7; PCI 4.2, 4.2.1, 4.2.1.2, 8.3.2; ISO 27002 5.14, 8.24, 8.26.
Remediation:
ELBSecurityPolicy-TLS-1-2-2017-01 or newer. NGINX: ssl_protocols TLSv1.2 TLSv1.3;. Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3.IDs: cipher_negotiated, cipherlist_* (NULL, aNULL, EXPORT, LOW, 3DES_IDEA, OBSOLETED), RC4, std_* variants. SCF anchors: CRY-01.2 (Algorithm Selection), CRY-05 (Cryptographic Protection). Resolved targets typically include NIST SC-13, SC-28, SC-28(01); SOC 2 CC6.1, CC6.7; PCI 3.5, 3.5.1.2, 3.5.1.3, 8.3.2; ISO 27002 8.24.
Remediation:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384.(EC)DHE should be disabled in 2026.IDs: cert_expirationStatus, cert_notAfter, cert_signatureAlgorithm, cert_keySize, cert_chain_of_trust, OCSP_*, CT, DNS_CAArecord. SCF anchor: CRY-08 (Public Key Infrastructure). Resolved targets include NIST SC-12 (Key Establishment & Management) and SC-17 (PKI Certificates); SOC 2 CC6.1.
Remediation depends on the specific failure:
CAA DNS record naming your authorized issuer(s) — defense against unauthorized certificate issuance.IDs: heartbleed, CCS, ticketbleed, ROBOT, secure_renego, secure_client_renego, CRIME_TLS, BREACH, POODLE_SSL, fallback_SCSV, SWEET32, FREAK, DROWN, LOGJAM, BEAST, LUCKY13, RC4, winshock. SCF anchors: VPM-01 (Vulnerability & Patch Management), VPM-06 (Vulnerability Scanning). Resolved targets include NIST SI-02, SI-03, RA-05; SOC 2 CC7.1 and CC3.x POFs; PCI 6.3, 6.3.1, 6.3.3, 11.3, 11.3.1; ISO 27002 8.8.
These are not configuration tuning — they're vulnerability remediation. Treat any non-OK finding here as an audit-tracked vuln with a remediation deadline. Most are addressed by:
IDs: HSTS, HSTS_preload, HSTS_time, HPKP, cookie_secure, cookie_httponly, banner_*, security_headers. SCF anchors: CRY-03 (Transmission of Sensitive Data), WEB-03 (Web App Hardening), NET-09 (Session Authenticity). Resolved targets include NIST SC-08, SC-08(01), SC-07(17), SC-23; PCI 4.2, 6.4, 6.4.1.
Remediation:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload and submit to the HSTS preload list (hstspreload.org) for the strongest posture.Secure or HttpOnly: fix the application — set both flags on every session cookie.For an audit, the auditor wants three things per finding:
~/.cache/claude-grc/findings/testssl-inspector/<run_id>.json).collected_at field).Workflow:
/testssl-inspector:scan --target=auth.example.com --target=api.example.com
# Inspect the resulting findings file. Attach it to the audit evidence packet
# alongside the remediation tickets opened for each fail.
/grc-engineer:gap-assessment SOC2,PCI-DSS --sources=testssl-inspector
# Aggregates testssl evaluations with your other connector outputs into a
# control-by-control posture view.
id and reasoning so we can refine the mapping table.scan.md. If a user asks about SP 800-52 Rev. 2 specifically, point them at the relevant framework plugin instead.Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Enforces test-driven development: write failing test first, then minimal code to pass. Use when implementing features or bugfixes.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
2plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin testssl-inspector