Update rules section

2026-04-30 08:36:38 +07:00 · 2026-04-30 08:36:38 +07:00 · e4d1bc36a7
commit e4d1bc36a7
parent a9f37c79cf
1 changed files with 18 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -138,6 +138,24 @@ existing downstream parsers.
 - `expired` / `expiring_soon`, cert expiry posture.
 - `weak_tls_version`, negotiated TLS < 1.2.

+## Rules
+
+| Code                            | Description                                                                                       | Severity            |
+|---------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `tls.endpoints_discovered`      | Verifies that at least one TLS endpoint has been discovered for this target.                      | INFO                |
+| `tls.reachability`              | Verifies that every discovered TLS endpoint accepts a TCP connection.                             | CRITICAL            |
+| `tls.handshake`                 | Verifies the TLS handshake completes on every reachable endpoint.                                 | CRITICAL            |
+| `tls.starttls_advertised`       | Verifies that STARTTLS endpoints advertise the upgrade capability.                                | CRITICAL            |
+| `tls.starttls_dialect_supported`| Verifies that discovered STARTTLS dialects are implemented by the checker.                        | CRITICAL            |
+| `tls.peer_certificate_present`  | Verifies the server presented a certificate during the TLS handshake.                             | CRITICAL            |
+| `tls.chain_validity`            | Verifies the presented certificate chain validates against the system trust store.                | CRITICAL            |
+| `tls.hostname_match`            | Verifies the leaf certificate covers the probed hostname (SNI).                                   | CRITICAL            |
+| `tls.expiry`                    | Flags expired or soon-to-expire leaf certificates.                                                | CRITICAL            |
+| `tls.version`                   | Flags endpoints negotiating a TLS version below the recommended TLS 1.2.                          | WARNING             |
+| `tls.cipher_suite`              | Reports the cipher suite negotiated on each endpoint.                                             | INFO                |
+| `tls.enum.versions`             | Flags endpoints that still accept TLS versions below TLS 1.2 (requires the enumerate option).     | WARNING             |
+| `tls.enum.ciphers`              | Flags endpoints that accept broken cipher suites (NULL, anonymous, EXPORT, RC4, 3DES).            | WARNING             |
+
 ## Options

 | Id               | Type   | Default | Description                                  |