From e4d1bc36a769917339fe28b72e3bbf0137a3127c Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:36:38 +0700
Subject: [PATCH] Update rules section

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index 2d7e158..5cbad63 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,24 @@ existing downstream parsers.
 - `expired` / `expiring_soon`, cert expiry posture.
 - `weak_tls_version`, negotiated TLS < 1.2.
 
+## Rules
+
+| Code                            | Description                                                                                       | Severity            |
+|---------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `tls.endpoints_discovered`      | Verifies that at least one TLS endpoint has been discovered for this target.                      | INFO                |
+| `tls.reachability`              | Verifies that every discovered TLS endpoint accepts a TCP connection.                             | CRITICAL            |
+| `tls.handshake`                 | Verifies the TLS handshake completes on every reachable endpoint.                                 | CRITICAL            |
+| `tls.starttls_advertised`       | Verifies that STARTTLS endpoints advertise the upgrade capability.                                | CRITICAL            |
+| `tls.starttls_dialect_supported`| Verifies that discovered STARTTLS dialects are implemented by the checker.                        | CRITICAL            |
+| `tls.peer_certificate_present`  | Verifies the server presented a certificate during the TLS handshake.                             | CRITICAL            |
+| `tls.chain_validity`            | Verifies the presented certificate chain validates against the system trust store.                | CRITICAL            |
+| `tls.hostname_match`            | Verifies the leaf certificate covers the probed hostname (SNI).                                   | CRITICAL            |
+| `tls.expiry`                    | Flags expired or soon-to-expire leaf certificates.                                                | CRITICAL            |
+| `tls.version`                   | Flags endpoints negotiating a TLS version below the recommended TLS 1.2.                          | WARNING             |
+| `tls.cipher_suite`              | Reports the cipher suite negotiated on each endpoint.                                             | INFO                |
+| `tls.enum.versions`             | Flags endpoints that still accept TLS versions below TLS 1.2 (requires the enumerate option).     | WARNING             |
+| `tls.enum.ciphers`              | Flags endpoints that accept broken cipher suites (NULL, anonymous, EXPORT, RC4, 3DES).            | WARNING             |
+
 ## Options
 
 | Id               | Type   | Default | Description                                  |