Skip to main content

Discover cryptographic assets and emit a CycloneDX CBOM with post-quantum risk classification

Project description

cryptoscan

ci

Discover the cryptography in a codebase and emit a CycloneDX CBOM with post-quantum risk classification.

You cannot migrate cryptography you cannot see. The June 2026 U.S. Executive Order on advanced cryptographic attacks set binding deadlines (2030 for key establishment, 2031 for signatures), extended them to federal contractors, and directed CISA and NIST to define the minimum elements of a Cryptographic Bill of Materials (CBOM). Yet fewer than 5% of enterprises have a comprehensive cryptographic inventory, and existing discovery tooling tends to miss application-layer crypto, config, and firmware.

cryptoscan is a small, fast first step: point it at a repository and it produces (1) a prioritized, human-readable inventory and (2) a machine-readable CycloneDX 1.6 CBOM, with every asset classified by its resistance to a cryptographically relevant quantum computer and mapped to its NIST PQC replacement.

Quick start

# scan a repo, print a prioritized report
python -m cryptoscan scan ./my-project

# write a CycloneDX 1.6 CBOM
python -m cryptoscan scan ./my-project -o cbom.json

# markdown report (for a PR comment or ticket)
python -m cryptoscan scan ./my-project -f md

# gate a CI pipeline: non-zero exit if quantum-vulnerable crypto is present
python -m cryptoscan scan ./my-project --fail-on-vulnerable

What it finds

Class Examples Verdict
Classical public-key RSA, ECDSA, ECDH, DSA, Ed25519, X25519, DH Quantum-vulnerable — broken by Shor's algorithm
Weakened symmetric AES-128 Review — halved by Grover; prefer AES-256
Already broken MD5, SHA-1, 3DES, RC4, DES Broken — remove regardless of quantum
Post-quantum ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA, Falcon, HQC Quantum-safe — migration targets

Detectors cover Python, JavaScript/TypeScript, Java, Go, C/C++/OpenSSL, .NET/C#, and PEM/TLS config. Detection is rule-based and extensible — add a Rule in detectors.py, not code.

Why CycloneDX

CycloneDX has carried cryptographic-asset components since v1.6, and the format is the one named in regulatory CBOM guidance. Emitting standards-compliant output means the result drops straight into existing SBOM/CBOM pipelines and tooling rather than living in a bespoke format.

Architecture

detectors.py   rule set: regex -> normalized algorithm key
knowledge.py   algorithm intelligence: quantum status, NIST level, replacement
scanner.py     walk files, apply rules, collapse + dedupe -> findings
cbom.py        findings -> CycloneDX 1.6 CBOM
report.py      findings -> terminal / markdown
cli.py         `cryptoscan scan <path>`

Honest limitations

This is rule-based static discovery, not a substitute for a validated commercial inventory platform. It finds named crypto in source and config; it does not resolve crypto reached only through deep dependency chains, dynamically selected algorithms, or compiled binaries without source. It reports where cryptography is, not where it is missing. Treat it as the fast 80% pass that scopes the harder work.

Roadmap

  • Dependency-aware detection (parse lockfiles; flag crypto libraries by version)
  • Key/parameter extraction from PEM and X.509 (sizes, signature algorithms)
  • Confidence scoring and false-positive suppression
  • SARIF output for code-scanning UIs
  • A web dashboard over the CBOM (trend the inventory over time — the "continuous" gap)

License

MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cryptoscan_pqc-0.1.1.tar.gz (13.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cryptoscan_pqc-0.1.1-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file cryptoscan_pqc-0.1.1.tar.gz.

File metadata

  • Download URL: cryptoscan_pqc-0.1.1.tar.gz
  • Upload date:
  • Size: 13.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.13

File hashes

Hashes for cryptoscan_pqc-0.1.1.tar.gz
Algorithm Hash digest
SHA256 461ed54dcec4ece68d7cdff71082a7acfee62accbe33c46ac94b6093c372eddf
MD5 99358535d890711fc557f9eaca40fa5b
BLAKE2b-256 2d6e11d1b0e5ed2bb63dc860a85adcdc2331c670be53837dca742abc76bbe60d

See more details on using hashes here.

File details

Details for the file cryptoscan_pqc-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: cryptoscan_pqc-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.13

File hashes

Hashes for cryptoscan_pqc-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7a01351cfd47cdbcecc6585a4ce3ef3ae7e8ca1998c29438d5d2ebc16ad04577
MD5 652f34bff69ed850b8373a89a1d6629e
BLAKE2b-256 4ad728565b615141939463be4171739c515b83c5e999a04df0ebef2f6f7d7077

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page