Discover cryptographic assets and emit a CycloneDX CBOM with post-quantum risk classification
Project description
cryptoscan
Discover the cryptography in a codebase and emit a CycloneDX CBOM with post-quantum risk classification.
You cannot migrate cryptography you cannot see. The June 2026 U.S. Executive Order on advanced cryptographic attacks set binding deadlines (2030 for key establishment, 2031 for signatures), extended them to federal contractors, and directed CISA and NIST to define the minimum elements of a Cryptographic Bill of Materials (CBOM). Yet fewer than 5% of enterprises have a comprehensive cryptographic inventory, and existing discovery tooling tends to miss application-layer crypto, config, and firmware.
cryptoscan is a small, fast first step: point it at a repository and it produces (1) a prioritized, human-readable inventory and (2) a machine-readable CycloneDX 1.6 CBOM, with every asset classified by its resistance to a cryptographically relevant quantum computer and mapped to its NIST PQC replacement.
Quick start
# scan a repo, print a prioritized report
python -m cryptoscan scan ./my-project
# write a CycloneDX 1.6 CBOM
python -m cryptoscan scan ./my-project -o cbom.json
# markdown report (for a PR comment or ticket)
python -m cryptoscan scan ./my-project -f md
# gate a CI pipeline: non-zero exit if quantum-vulnerable crypto is present
python -m cryptoscan scan ./my-project --fail-on-vulnerable
What it finds
| Class | Examples | Verdict |
|---|---|---|
| Classical public-key | RSA, ECDSA, ECDH, DSA, Ed25519, X25519, DH | Quantum-vulnerable — broken by Shor's algorithm |
| Weakened symmetric | AES-128 | Review — halved by Grover; prefer AES-256 |
| Already broken | MD5, SHA-1, 3DES, RC4, DES | Broken — remove regardless of quantum |
| Post-quantum | ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA, Falcon, HQC | Quantum-safe — migration targets |
Detectors cover Python, JavaScript/TypeScript, Java, Go, C/C++/OpenSSL, .NET/C#, and PEM/TLS config. Detection is rule-based and extensible — add a Rule in detectors.py, not code.
Why CycloneDX
CycloneDX has carried cryptographic-asset components since v1.6, and the format is the one named in regulatory CBOM guidance. Emitting standards-compliant output means the result drops straight into existing SBOM/CBOM pipelines and tooling rather than living in a bespoke format.
Architecture
detectors.py rule set: regex -> normalized algorithm key
knowledge.py algorithm intelligence: quantum status, NIST level, replacement
scanner.py walk files, apply rules, collapse + dedupe -> findings
cbom.py findings -> CycloneDX 1.6 CBOM
report.py findings -> terminal / markdown
cli.py `cryptoscan scan <path>`
Honest limitations
This is rule-based static discovery, not a substitute for a validated commercial inventory platform. It finds named crypto in source and config; it does not resolve crypto reached only through deep dependency chains, dynamically selected algorithms, or compiled binaries without source. It reports where cryptography is, not where it is missing. Treat it as the fast 80% pass that scopes the harder work.
Roadmap
- Dependency-aware detection (parse lockfiles; flag crypto libraries by version)
- Key/parameter extraction from PEM and X.509 (sizes, signature algorithms)
- Confidence scoring and false-positive suppression
- SARIF output for code-scanning UIs
- A web dashboard over the CBOM (trend the inventory over time — the "continuous" gap)
License
MIT.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cryptoscan_pqc-0.1.0.tar.gz.
File metadata
- Download URL: cryptoscan_pqc-0.1.0.tar.gz
- Upload date:
- Size: 13.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3735ad00981e8d20a4db5239b2ff2f9a78f1b01657c64c48032accce5c5ecd19
|
|
| MD5 |
4d88b588f439d1046439bd516999bcb5
|
|
| BLAKE2b-256 |
408be6fc5bdcf33bdd589df9d1decd1618e3b0ffc944bd5286eb11ef1bc62ae6
|
File details
Details for the file cryptoscan_pqc-0.1.0-py3-none-any.whl.
File metadata
- Download URL: cryptoscan_pqc-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2e90e3e9eca6c1522e8249e31c8542262795339deae74199948098b6602827bc
|
|
| MD5 |
b85c8816f250266f54417d91b572c374
|
|
| BLAKE2b-256 |
3d4050c5e47f3cc7c137fefde34f784401a4f0b096012f36468765f2381d649b
|