Why CryptoDeps?
Your code might be quantum-safe, but what about your dependencies? The average software project has 300-1000+ transitive dependencies. Each one potentially uses cryptographic algorithms that quantum computers will break. Traditional security scanners miss this — they focus on known CVEs, not cryptographic readiness.
The Problem
Most tools flag all crypto algorithms in your dependency tree, creating noise. CryptoDeps solves this with reachability analysis — it tells you which crypto your code actually uses versus what's merely present in libraries.
| Challenge | Impact |
|---|---|
| Hidden Crypto | RSA, ECDSA, Ed25519 buried deep in dependency trees |
| Harvest Now, Decrypt Later | Adversaries collecting encrypted data today for future quantum decryption |
| CNSA 2.0 Timeline | NSA requires hybrid PQC by 2027 — non-compliant dependencies block migration |
| False Positives | Most tools flag all crypto, not just what you actually use |
Key Features
Reachability Analysis (Go)
Builds a call graph from your code to identify which cryptographic functions are actually invoked — not just present in dependencies.
Multi-Ecosystem Support
Analyzes Go (go.mod), npm (package.json, package-lock.json), Python (requirements.txt, pyproject.toml, Pipfile), and Maven (pom.xml).
Smart Remediation
Context-aware recommendations considering token lifetimes, industry standards, and migration effort level.
Compliance-Ready Output
CycloneDX CBOM for OMB M-23-02, SARIF for GitHub Security, JSON for automation, Markdown for documentation.
Installation
Pre-built Binaries (Recommended)
Download from GitHub Releases:
# macOS (Apple Silicon)
curl -LO https://github.com/csnp/qramm-cryptodeps/releases/latest/download/cryptodeps-darwin-arm64
chmod +x cryptodeps-darwin-arm64
sudo mv cryptodeps-darwin-arm64 /usr/local/bin/cryptodeps
# macOS (Intel)
curl -LO https://github.com/csnp/qramm-cryptodeps/releases/latest/download/cryptodeps-darwin-amd64
chmod +x cryptodeps-darwin-amd64
sudo mv cryptodeps-darwin-amd64 /usr/local/bin/cryptodeps
# Linux (x86_64)
curl -LO https://github.com/csnp/qramm-cryptodeps/releases/latest/download/cryptodeps-linux-amd64
chmod +x cryptodeps-linux-amd64
sudo mv cryptodeps-linux-amd64 /usr/local/bin/cryptodeps
# Windows (PowerShell)
Invoke-WebRequest -Uri "https://github.com/csnp/qramm-cryptodeps/releases/latest/download/cryptodeps-windows-amd64.exe" -OutFile "cryptodeps.exe"Build from Source
Requires Go 1.21+:
git clone https://github.com/csnp/qramm-cryptodeps.git
cd qramm-cryptodeps
go build -o cryptodeps ./cmd/cryptodepsGo Install
go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latestQuick Start
# Analyze current directory
cryptodeps analyze .
# Analyze a specific project
cryptodeps analyze /path/to/project
# Analyze a GitHub repository directly
cryptodeps analyze hashicorp/vault
cryptodeps analyze https://github.com/golang-jwt/jwt
# Generate CBOM for compliance
cryptodeps analyze . --format cbom > crypto-bom.json
# CI/CD: Fail on quantum-vulnerable crypto
cryptodeps analyze . --fail-on vulnerableWorkspace & Monorepo Support
CryptoDeps automatically discovers all manifest files in workspace and monorepo setups. It handles npm/yarn workspaces, pnpm workspaces, and Go workspaces out of the box.
Supported Workspace Types
| Ecosystem | Config File | Detection |
|---|---|---|
| npm/yarn | package.json | workspaces field (array or object) |
| pnpm | pnpm-workspace.yaml | packages field |
| Go | go.work | use directives |
Multi-Project Output
When scanning a monorepo, CryptoDeps groups findings by project:
Scanning /Users/project/monorepo...
Found 3 projects:
- ./package.json (npm)
- ./apps/backend/go.mod (go)
- ./sdk/typescript/package.json (npm)
=== ./apps/backend (Go) ===
[*] Scanning go.mod... found 36 dependencies
🔴 Ed25519 VULNERABLE 1-2yr low
└─ golang.org/x/crypto@v0.31.0
=== ./sdk/typescript (npm) ===
[*] Scanning package.json... found 12 dependencies
🟢 No vulnerable crypto detected
══════════════════════════════════════════════════════════════════════════════
TOTAL: 3 projects | 51 deps | 3 with crypto | 1 vulnerable
Disabling Workspace Discovery
To scan only a single manifest without workspace discovery:
cryptodeps analyze . --no-workspaces
Reachability Analysis
CryptoDeps goes beyond simple dependency scanning by analyzing your code's call graph to determine which cryptographic algorithms are actually used.
How It Works
- Parses your source code — Builds an AST of your Go files
- Identifies entry points — main(), init(), exported functions
- Traces call paths — Follows function calls to crypto imports
- Classifies reachability — Marks each crypto usage as CONFIRMED, REACHABLE, or AVAILABLE
Reachability Levels
| Level | Meaning | Action |
|---|---|---|
| CONFIRMED | Your code directly calls this crypto | Immediate remediation required |
| REACHABLE | In call graph from your code | Monitor and plan migration |
| AVAILABLE | In dependency but not called | Lower priority (future planning) |
Sample Output with Reachability
[*] Scanning go.mod... found 36 dependencies
[!] CONFIRMED - Actually used by your code (requires action):
──────────────────────────────────────────────────────────────────────────────
🔴 Ed25519 VULNERABLE 1-2yr low
└─ golang.org/x/crypto@v0.31.0
> Called from: application.AgentService.CreateAgent
> Called from: crypto.ED25519Service.Sign
🟡 HS256 PARTIAL - low
└─ github.com/golang-jwt/jwt/v5@v5.3.0
> Called from: auth.JWTService.GenerateAccessToken
🟢 bcrypt SAFE - -
└─ golang.org/x/crypto@v0.31.0
> Called from: auth.HashPassword
══════════════════════════════════════════════════════════════════════════════
SUMMARY: 36 deps | 2 with crypto | 8 vulnerable | 2 partial
REACHABILITY: 3 confirmed | 0 reachable | 11 available-only
Disabling Reachability
Reachability analysis is enabled by default for Go projects. To disable and get a complete inventory:
cryptodeps analyze . --reachability=false
Output Formats
Table (Default)
Human-readable terminal output with colors and formatting:
cryptodeps analyze .JSON
Machine-readable output for automation:
cryptodeps analyze . --format json
cryptodeps analyze . --format json | jq '.dependencies[] | select(.analysis.crypto != null)'CycloneDX CBOM
Cryptographic Bill of Materials for compliance (OMB M-23-02, CNSA 2.0):
cryptodeps analyze . --format cbom > crypto-bom.jsonSARIF
GitHub Security tab integration:
cryptodeps analyze . --format sarif > results.sarifMarkdown
Documentation and reports:
cryptodeps analyze . --format markdown > crypto-report.mdQuantum Risk Classification
| Risk | Quantum Threat | Examples |
|---|---|---|
| VULNERABLE | Completely broken by Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
| PARTIAL | Security reduced by Grover's algorithm (halved key strength) | AES-128, SHA-256, HMAC-SHA256 |
| SAFE | Maintains security against known quantum attacks | AES-256, SHA-384+, ChaCha20, Argon2 |
CNSA 2.0 Compliance Timeline
| Timeline | Requirement |
|---|---|
| 2025 | Begin hybrid implementations |
| 2027 | Complete hybrid transition for key establishment |
| 2030 | Complete migration to pure PQC |
| 2033 | Sunset classical algorithms |
Remediation Guidance
CryptoDeps provides intelligent, context-aware remediation recommendations:
For JWT Algorithms
| Current | Recommendation |
|---|---|
| RS256/RS384/RS512 | Wait for PQ-JWT standards; use HS256/HS512 if symmetric is acceptable |
| ES256/ES384/ES512 | Same — ECDSA is quantum-vulnerable |
| HS256 | Adequate for most use cases; optionally upgrade to HS512 |
| HS512 | Already quantum-safe, no action needed |
For Signatures
| Current | Recommendation | NIST Standard |
|---|---|---|
| RSA | Migrate to ML-DSA | FIPS 204 |
| ECDSA | Migrate to ML-DSA | FIPS 204 |
| Ed25519 | Plan migration to ML-DSA; prioritize long-lived signatures | FIPS 204 |
Recommended PQC Libraries
| Ecosystem | Library |
|---|---|
| Go | github.com/cloudflare/circl |
| JavaScript/npm | @noble/post-quantum |
| Python | pqcrypto, liboqs-python |
| Java | org.bouncycastle:bcprov-jdk18on |
CI/CD Integration
GitHub Actions
name: Quantum Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
security-events: write
contents: read
jobs:
cryptodeps:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.22'
- name: Install CryptoDeps
run: go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latest
- name: Run Crypto Analysis
run: cryptodeps analyze . --format sarif > cryptodeps.sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: cryptodeps.sarif
- name: Fail on Vulnerable Crypto
run: cryptodeps analyze . --fail-on vulnerableExit Codes
| Code | Meaning | Trigger |
|---|---|---|
| 0 | Success | No findings matching --fail-on threshold |
| 1 | Vulnerable | Quantum-vulnerable crypto detected |
| 2 | Error | Analysis failed (invalid manifest, network error) |
| 3 | Partial | Partial-risk crypto detected (with --fail-on partial) |
Command Reference
USAGE:
cryptodeps <command> [flags]
COMMANDS:
analyze Analyze project dependencies for cryptographic usage
update Download latest crypto knowledge database
status Show database statistics and cache info
version Print version information
ANALYZE FLAGS:
-f, --format string Output format: table, json, cbom, sarif, markdown (default "table")
--fail-on string Fail threshold: vulnerable, partial, any, none (default "vulnerable")
--reachability Analyze call graph for actual crypto usage (default true, Go only)
--no-workspaces Disable workspace discovery, scan only the specified manifest
--deep Force AST analysis for packages not in database
--offline Use only local database, skip auto-updates
--risk string Filter by risk: vulnerable, partial, all
--min-severity string Minimum severity to report
EXAMPLES:
cryptodeps analyze . # Analyze current directory (all workspaces)
cryptodeps analyze . --no-workspaces # Single manifest only
cryptodeps analyze ./go.mod # Specific manifest
cryptodeps analyze hashicorp/vault # GitHub repository
cryptodeps analyze . --format cbom # Generate CBOM
cryptodeps analyze . --fail-on vulnerable # CI/CD gate
cryptodeps analyze . --reachability=false # Skip call graph analysis
cryptodeps update # Update crypto databaseReady to Secure Your Dependencies?
Stop guessing — know precisely where your quantum risk lies. CryptoDeps is free, open source, and takes just minutes to set up.
View on GitHub Take QRAMM AssessmentRelated Resources
- CryptoScan Guide - Discover crypto in your source code
- Cryptographic Inventory Guide - Best practices for maintaining crypto inventories
- Quantum Risk Management - Framework for assessing quantum threats
- Harvest Now, Decrypt Later - Understanding the HNDL threat
- Algorithm Selection Guide - Choosing the right algorithms by use case