Open source · Command line

Your security tools, in the terminal.

The same checks behind Secably's web tools, as a tiny Python CLI. TLS certificates, HTTP security headers, DNS/email posture and subdomain discovery — run locally on your machine, with no account and no rate limit.

MIT licensed · Zero-config · Works offline of our servers

Install

One command to install, one to check.

The core checks have zero dependencies. Add the optional [dns] extra for MX, TXT, SPF, DMARC and DNSSEC.

1

Install from PyPI

Python 3.9+. Nothing to configure.

2

Run any check

Human-readable output, or add --json for pipelines.

3

Gate your CI

Exit codes fail the build on expiring certs or weak headers.

terminal
# install (add [dns] for SPF/DMARC/DNSSEC)
pip install "secably[dns]"

# inspect a TLS certificate
secably ssl example.com

# grade the HTTP security headers A–F
secably headers https://example.com

# DNS records + email spoofing posture
secably dns example.com

# find subdomains via Certificate Transparency
secably subdomains example.com --resolve
What it checks

Four checks that run on your machine.

No account, no key, no data leaving your laptop or runner. Each command mirrors the engine behind the matching web tool.

secably ssl

TLS certificate & protocol

Issuer, validity window, days remaining, SANs and negotiated protocol. Flags expired, untrusted and obsolete-protocol certificates. --fail-if-expires 14 for CI.

Web version
secably headers

HTTP security headers

Grades A–F on HSTS, CSP, X-Frame-Options, nosniff, Referrer-Policy and Permissions-Policy, and points out headers that leak your stack. --fail-below B for CI.

Web version
secably dns

DNS & email posture

A, AAAA, MX, NS, TXT, CNAME and SOA records, plus SPF, DMARC and DNSSEC presence — the config that decides whether your domain can be spoofed.

Web version
secably subdomains

Subdomain discovery

Passive enumeration through Certificate Transparency logs — every name a CA ever issued a certificate for. No brute force, no traffic to the target. --resolve to get IPs.

Web version
In your pipeline

Fail the build before the certificate does.

The companion Secably Security Check GitHub Action wraps the CLI. Point it at your domain and it turns the job red the moment your certificate is close to expiry or your security headers slip.

Runs entirely inside your runner — nothing sent anywhere
GitHub error annotations and a job summary
Schedule it daily to catch drift between deploys
Get the GitHub Action
.github/workflows/security.yml
name: Security check
on:
  schedule:
    - cron: '0 6 * * *'

jobs:
  secably:
    runs-on: ubuntu-latest
    steps:
      - uses: Secably/secably-security-check@v1
        with:
          url: your-domain.com
          fail-if-expires: 21
          headers-min-grade: B
Local vs. hosted

What runs where.

The everyday checks are local and unlimited. Deeper scans that need a scanning backend use the free Secably API with a key from your dashboard.

On your machine · no account

ssl, headers, dns and subdomains never touch our servers, so there's no quota to hit.

Hosted scan · free API key

secably scan runs a full website or port scan server-side. Create a free key at your dashboard and pass it with --api-key.

A CI run is a snapshot. Attacks aren't.

Certificates expire, subdomains appear and ports open between deploys. Secably runs these same checks continuously against your domains and alerts you when something changes.