SkillAgentSearch skills...

Cryptoscan

Cryptographic Discovery Scanner - Find every cryptographic algorithm in your codebase and now your quantum risk - part of the QRAMM Toolkit by CSNP

GenerateConvertImprove

Install / Use

/learn @csnp/Cryptoscan
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<h1 align="center">CryptoScan</h1> <h3 align="center">Cryptographic Discovery for the Post-Quantum Era</h3> <p align="center"> <strong>Find every cryptographic algorithm in your codebase. Know your quantum risk. Get a Migration Readiness Score. Plan your migration.</strong> </p> <p align="center"> <a href="https://github.com/csnp/cryptoscan/actions/workflows/ci.yml"><img src="https://github.com/csnp/cryptoscan/actions/workflows/ci.yml/badge.svg" alt="CI"></a> <a href="https://goreportcard.com/report/github.com/csnp/cryptoscan"><img src="https://goreportcard.com/badge/github.com/csnp/cryptoscan?v=2" alt="Go Report Card"></a> <a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" alt="License"></a> <a href="https://go.dev/"><img src="https://img.shields.io/badge/Go-1.21+-00ADD8?logo=go&logoColor=white" alt="Go Version"></a> </p> <p align="center"> <a href="#why-cryptoscan">Why CryptoScan</a> • <a href="#quick-start">Quick Start</a> • <a href="#features">Features</a> • <a href="https://qramm.org/learn/cryptoscan-guide.html">Full Documentation</a> • <a href="#contributing">Contributing</a> </p>

Part of the QRAMM Toolkit — Open-source tools for quantum readiness:

| Tool | Purpose | |------|---------| | CryptoScan | Cryptographic discovery in source code ← You are here | | CryptoDeps | Quantum-safe dependency analysis for your supply chain | | TLS-Analyzer | TLS/SSL configuration analysis with CNSA 2.0 compliance |

Learn more at qramm.org

The Quantum Computing Challenge

Quantum computers will break RSA, ECDSA, and Diffie-Hellman within the next decade. This isn't speculation—the NSA, NIST, and major technology companies are already migrating to post-quantum cryptography (PQC).

The challenge? You can't migrate what you can't find.

Most organizations have no visibility into which cryptographic algorithms are used across their codebases, configurations, and dependencies. CryptoScan solves this by providing a complete cryptographic inventory in seconds—with full source code context so you know exactly what needs to change and where.

Why CryptoScan

CryptoScan is purpose-built for quantum readiness assessment:

| Capability | CryptoScan | grep/ripgrep | Commercial Tools | |------------|:----------:|:------------:|:----------------:| | Remote Git URL scanning | Yes | No | Some | | Source code context | Yes | No | Rarely | | Quantum risk classification | Yes | No | Some | | Post-Quantum Crypto detection | Yes | No | Rarely | | Migration Readiness Score | Yes | No | No | | Hybrid crypto recognition | Yes | No | Rarely | | QRAMM framework mapping | Yes | No | No | | CI/CD baseline comparison | Yes | No | Some | | Configurable exit codes | Yes | No | Some | | Context-aware confidence | Yes | No | Varies | | CBOM output | Yes | No | Rarely | | SARIF for GitHub Security | Yes | No | Yes | | Inline ignore comments | Yes | No | Some | | Pattern-specific suppression | Yes | No | Rarely | | Migration guidance | Yes | No | Varies | | Dependency scanning | Yes | No | Some | | Configuration file | Yes | N/A | Yes | | Open source | Yes | Yes | No |

What These Capabilities Mean

<details> <summary><strong>Click to expand capability descriptions</strong></summary>

Remote Git URL scanning — Scan any public or private Git repository directly by URL without cloning it first. Just run cryptoscan scan https://github.com/org/repo.git and get results immediately.

Source code context — Every finding includes the 3 lines before and after the match, so you can immediately understand the context without opening the file. Know if it's in a comment, test, or production code at a glance.

Quantum risk classification — Each finding is tagged with its quantum computing threat level: VULNERABLE (broken by Shor's algorithm), PARTIAL (weakened by Grover's algorithm), SAFE (quantum-resistant), or UNKNOWN. This tells you exactly what needs to migrate first.

Post-Quantum Crypto detection — Detects NIST-standardized PQC algorithms including ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), and draft FN-DSA (FIPS 206). Also detects stateful hash-based signatures (XMSS, LMS per SP 800-208). Recognizes both new FIPS names and legacy names (Kyber, Dilithium, SPHINCS+).

Migration Readiness Score — Get an instant percentage score showing how prepared your codebase is for the post-quantum transition. The score weighs quantum-safe algorithms (100%), hybrid implementations (80%), and partial safety (30%) against vulnerable and critical findings. Includes top-risk files to prioritize.

Hybrid crypto recognition — Identifies hybrid cryptographic implementations that combine classical and post-quantum algorithms for defense-in-depth. Detects patterns like X25519+ML-KEM key exchange and ECDSA+ML-DSA composite signatures—the recommended transition approach.

QRAMM framework mapping — Maps all findings to the Quantum Readiness Assurance Maturity Model (QRAMM) Dimension 1: Cryptographic Visibility & Inventory. Shows your maturity level for Discovery (Practice 1.1), Vulnerability Assessment (Practice 1.2), and Dependency Mapping (Practice 1.3).

Context-aware confidence — Not all matches are equal. CryptoScan reduces confidence for findings in comments, documentation, log messages, and test files. High-confidence findings in production code are prioritized over low-confidence matches in docs.

CBOM output — Generate a Cryptographic Bill of Materials—a machine-readable inventory of all cryptographic algorithms in your codebase. Required for federal compliance (OMB M-23-02) and essential for tracking quantum migration progress.

SARIF for GitHub Security — Output findings in SARIF format for direct integration with GitHub Code Scanning. See cryptographic issues as security alerts in your pull requests and repository Security tab.

Inline ignore comments — Suppress false positives directly in your code with // cryptoscan:ignore. No need to maintain separate exclusion files or configure complex ignore rules.

Migration guidance — Every finding includes specific remediation advice: which NIST PQC algorithm to migrate to (ML-KEM, ML-DSA, SLH-DSA), links to standards, and effort estimates.

Dependency scanning — Scans package manifests (package.json, go.mod, requirements.txt, pom.xml, etc.) to identify crypto libraries in your dependencies. Covers 20+ package manager formats.

</details>

Quick Start

Installation

Option 1: Build from Source

Requires Go 1.21+ (install Go) — always use the latest patch version for security fixes

Copy and paste this entire block:

git clone https://github.com/csnp/cryptoscan.git
cd cryptoscan
go build -o cryptoscan ./cmd/cryptoscan
sudo mv cryptoscan /usr/local/bin/
cd ..
cryptoscan version

Option 2: Go Install

For Go developers:

go install github.com/csnp/cryptoscan/cmd/cryptoscan@latest

Option 3: Download Binary

Download pre-built binaries from GitHub Releases.

Basic Usage

# Scan a local directory
cryptoscan scan .

# Scan a remote Git repository
cryptoscan scan https://github.com/your-org/your-repo.git

# Output to JSON for automation
cryptoscan scan . --format json --output findings.json

# Generate SARIF for GitHub Security integration
cryptoscan scan . --format sarif --output results.sarif

Try It Out

This repository includes sample cryptographic code for testing:

# Clone and build
git clone https://github.com/csnp/cryptoscan.git
cd cryptoscan
go build -o cryptoscan ./cmd/cryptoscan

# Scan the sample files (Go, Python, Java, JavaScript)
./cryptoscan scan ./crypto-samples

# Expected: ~100+ findings showing various crypto patterns including:
# - Post-Quantum: ML-KEM, ML-DSA, SLH-DSA, XMSS, LMS
# - Hybrid: X25519+ML-KEM, ECDSA+ML-DSA composite
# - Quantum vulnerable: RSA, ECDSA, Ed25519
# - MACs: HMAC-SHA256/512, KMAC
# - KDFs: HKDF, PBKDF2, Argon2id, bcrypt
# - With Migration Readiness Score and QRAMM mapping

Features

Comprehensive Detection

CryptoScan identifies cryptographic usage across your entire technology stack:

| Category | What We Detect | |----------|----------------| | Post-Quantum Cryptography | ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+), FN-DSA (Falcon), XMSS, LMS | | Hybrid Cryptography | X25519+ML-KEM, ECDSA+ML-DSA composite signatures, hybrid TLS key exchange | | Asymmetric Encryption | RSA (all key sizes), ECDSA, DSA, DH, ECDH, Ed25519, X25519 | | Symmetric Encryption | AES (CBC, GCM, ECB, CTR), ChaCha20-Poly1305, DES, 3DES, RC4, Blowfish | | Hash Functions | SHA-2, SHA-3, SHAKE128/256, BLAKE2, BLAKE3, MD5, SHA-1 | | MACs | HMAC-SHA256/384/512, HMAC-SHA3, KMAC128/256, CMAC, GMAC, Poly1305 | | Key Derivation (KDFs) | HKDF, PBKDF2, Argon2id, scrypt, bcrypt | | Certificates | X.509, CSR, PKCS#12/PFX, certificate chains, mTLS, validation bypass, expiration, JWK | | TLS/SSL | Protocol versions, cipher suites, weak configurations, certificate pinning | | Key Material | Private keys (RSA, EC, SSH, PGP, PKCS#8), JWT secrets, HMAC keys | | Cloud KMS | AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault | | Dependencies | Crypto libraries across 20+ package managers | | Configurations | Hardcoded key sizes, algorithm selections, TLS settings |

90+ detection patterns with context-aware confidence scoring to minimize false positives.

Quantum Risk Classification

Every finding is classified by quantum computing threat

csnp

View profile

View on GitHub
GitHub Stars4
CategoryDevelopment
Updated19d ago
Forks2
csnp/cryptoscan

Languages

Go

Security Score

90/100

Audited on Mar 8, 2026

No findings