The same checks behind Secably's web tools, as a tiny Python CLI. TLS certificates, HTTP security headers, DNS/email posture and subdomain discovery — run locally on your machine, with no account and no rate limit.
MIT licensed · Zero-config · Works offline of our servers
The core checks have zero dependencies. Add the optional [dns] extra for MX, TXT, SPF, DMARC and DNSSEC.
Install from PyPI
Python 3.9+. Nothing to configure.
Run any check
Human-readable output, or add --json for pipelines.
Gate your CI
Exit codes fail the build on expiring certs or weak headers.
# install (add [dns] for SPF/DMARC/DNSSEC)
pip install "secably[dns]"
# inspect a TLS certificate
secably ssl example.com
# grade the HTTP security headers A–F
secably headers https://example.com
# DNS records + email spoofing posture
secably dns example.com
# find subdomains via Certificate Transparency
secably subdomains example.com --resolve
No account, no key, no data leaving your laptop or runner. Each command mirrors the engine behind the matching web tool.
secably sslIssuer, validity window, days remaining, SANs and negotiated protocol. Flags expired, untrusted and obsolete-protocol certificates. --fail-if-expires 14 for CI.
secably headersGrades A–F on HSTS, CSP, X-Frame-Options, nosniff, Referrer-Policy and Permissions-Policy, and points out headers that leak your stack. --fail-below B for CI.
secably dnsA, AAAA, MX, NS, TXT, CNAME and SOA records, plus SPF, DMARC and DNSSEC presence — the config that decides whether your domain can be spoofed.
Web versionsecably subdomainsPassive enumeration through Certificate Transparency logs — every name a CA ever issued a certificate for. No brute force, no traffic to the target. --resolve to get IPs.
The companion Secably Security Check GitHub Action wraps the CLI. Point it at your domain and it turns the job red the moment your certificate is close to expiry or your security headers slip.
name: Security check
on:
schedule:
- cron: '0 6 * * *'
jobs:
secably:
runs-on: ubuntu-latest
steps:
- uses: Secably/secably-security-check@v1
with:
url: your-domain.com
fail-if-expires: 21
headers-min-grade: B
The everyday checks are local and unlimited. Deeper scans that need a scanning backend use the free Secably API with a key from your dashboard.
ssl, headers, dns and subdomains never touch our servers, so there's no quota to hit.
secably scan runs a full website or port scan server-side. Create a free key at your dashboard and pass it with --api-key.
Certificates expire, subdomains appear and ports open between deploys. Secably runs these same checks continuously against your domains and alerts you when something changes.