Skip to main content

Discover cryptographic assets and emit a CycloneDX CBOM with post-quantum risk classification

Project description

cryptoscan

ci

Discover the cryptography in a codebase and emit a CycloneDX CBOM with post-quantum risk classification.

You cannot migrate cryptography you cannot see. The June 2026 U.S. Executive Order on advanced cryptographic attacks set binding deadlines (2030 for key establishment, 2031 for signatures), extended them to federal contractors, and directed CISA and NIST to define the minimum elements of a Cryptographic Bill of Materials (CBOM). Yet fewer than 5% of enterprises have a comprehensive cryptographic inventory, and existing discovery tooling tends to miss application-layer crypto, config, and firmware.

cryptoscan is a small, fast first step: point it at a repository and it produces (1) a prioritized, human-readable inventory and (2) a machine-readable CycloneDX 1.6 CBOM, with every asset classified by its resistance to a cryptographically relevant quantum computer and mapped to its NIST PQC replacement.

Quick start

# scan a repo, print a prioritized report
python -m cryptoscan scan ./my-project

# write a CycloneDX 1.6 CBOM
python -m cryptoscan scan ./my-project -o cbom.json

# markdown report (for a PR comment or ticket)
python -m cryptoscan scan ./my-project -f md

# gate a CI pipeline: non-zero exit if quantum-vulnerable crypto is present
python -m cryptoscan scan ./my-project --fail-on-vulnerable

What it finds

Class Examples Verdict
Classical public-key RSA, ECDSA, ECDH, DSA, Ed25519, X25519, DH Quantum-vulnerable — broken by Shor's algorithm
Weakened symmetric AES-128 Review — halved by Grover; prefer AES-256
Already broken MD5, SHA-1, 3DES, RC4, DES Broken — remove regardless of quantum
Post-quantum ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA, Falcon, HQC Quantum-safe — migration targets

Detectors cover Python, JavaScript/TypeScript, Java, Go, C/C++/OpenSSL, .NET/C#, and PEM/TLS config. Detection is rule-based and extensible — add a Rule in detectors.py, not code.

Why CycloneDX

CycloneDX has carried cryptographic-asset components since v1.6, and the format is the one named in regulatory CBOM guidance. Emitting standards-compliant output means the result drops straight into existing SBOM/CBOM pipelines and tooling rather than living in a bespoke format.

Architecture

detectors.py   rule set: regex -> normalized algorithm key
knowledge.py   algorithm intelligence: quantum status, NIST level, replacement
scanner.py     walk files, apply rules, collapse + dedupe -> findings
cbom.py        findings -> CycloneDX 1.6 CBOM
report.py      findings -> terminal / markdown
cli.py         `cryptoscan scan <path>`

Honest limitations

This is rule-based static discovery, not a substitute for a validated commercial inventory platform. It finds named crypto in source and config; it does not resolve crypto reached only through deep dependency chains, dynamically selected algorithms, or compiled binaries without source. It reports where cryptography is, not where it is missing. Treat it as the fast 80% pass that scopes the harder work.

Roadmap

  • Dependency-aware detection (parse lockfiles; flag crypto libraries by version)
  • Key/parameter extraction from PEM and X.509 (sizes, signature algorithms)
  • Confidence scoring and false-positive suppression
  • SARIF output for code-scanning UIs
  • A web dashboard over the CBOM (trend the inventory over time — the "continuous" gap)

License

MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cryptoscan_pqc-0.1.0.tar.gz (13.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cryptoscan_pqc-0.1.0-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file cryptoscan_pqc-0.1.0.tar.gz.

File metadata

  • Download URL: cryptoscan_pqc-0.1.0.tar.gz
  • Upload date:
  • Size: 13.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.13

File hashes

Hashes for cryptoscan_pqc-0.1.0.tar.gz
Algorithm Hash digest
SHA256 3735ad00981e8d20a4db5239b2ff2f9a78f1b01657c64c48032accce5c5ecd19
MD5 4d88b588f439d1046439bd516999bcb5
BLAKE2b-256 408be6fc5bdcf33bdd589df9d1decd1618e3b0ffc944bd5286eb11ef1bc62ae6

See more details on using hashes here.

File details

Details for the file cryptoscan_pqc-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: cryptoscan_pqc-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.13

File hashes

Hashes for cryptoscan_pqc-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2e90e3e9eca6c1522e8249e31c8542262795339deae74199948098b6602827bc
MD5 b85c8816f250266f54417d91b572c374
BLAKE2b-256 3d4050c5e47f3cc7c137fefde34f784401a4f0b096012f36468765f2381d649b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page