The SSL report shows "Certificate Transparency: Yes", even if the web server does not provide any SCTs. It checks only for the presence of an SCT list, but does not check that it isn't empty. Could this be fixed please?
Rob, we'll look into that. Would you be able to share the hostname of one such server?
I'm afraid the server that demonstrated this no longer exists, but I believe it would be straightforward enough to set up Apache or NGINX to serve an empty list of SCTs. If you follow the instructions here, but skip the step where you populate a directory with SCTs, I expect you'll reproduce the issue.
Retrieving data ...