Why CryptoDeps?
Your code might be quantum-safe, but what about your dependencies? The average software project has 300-1000+ transitive dependencies. Each one potentially uses cryptographic algorithms that quantum computers will break. Traditional security scanners miss this. They focus on known CVEs, not cryptographic readiness.
| Challenge | Impact |
|---|---|
| Hidden Crypto | RSA, ECDSA, Ed25519 buried deep in dependency trees |
| Harvest Now, Decrypt Later | Adversaries collecting encrypted data today for future quantum decryption |
| CNSA 2.0 Timeline | NSA requires hybrid PQC by 2027, non-compliant dependencies block migration |
| False Positives | Most tools flag all crypto, not just what you actually use |
Key features
Reachability analysis (Go)
Builds a call graph from your code to identify which cryptographic functions are actually invoked, not just present in dependencies.
Multi-ecosystem support
Analyzes Go (go.mod), npm (package.json, package-lock.json), Python (requirements.txt, pyproject.toml, Pipfile), and Maven (pom.xml).
Smart remediation
Context-aware recommendations considering token lifetimes, industry standards, and migration effort level.
Compliance-ready output
CycloneDX CBOM for OMB M-23-02, SARIF for GitHub Security, JSON for automation, Markdown for documentation.
Installation
Pre-built binaries (recommended)
Download from GitHub Releases:
# macOS (Apple Silicon)
curl -LO https://github.com/csnp/cryptodeps/releases/latest/download/cryptodeps-darwin-arm64
chmod +x cryptodeps-darwin-arm64
sudo mv cryptodeps-darwin-arm64 /usr/local/bin/cryptodeps
# macOS (Intel)
curl -LO https://github.com/csnp/cryptodeps/releases/latest/download/cryptodeps-darwin-amd64
chmod +x cryptodeps-darwin-amd64
sudo mv cryptodeps-darwin-amd64 /usr/local/bin/cryptodeps
# Linux (x86_64)
curl -LO https://github.com/csnp/cryptodeps/releases/latest/download/cryptodeps-linux-amd64
chmod +x cryptodeps-linux-amd64
sudo mv cryptodeps-linux-amd64 /usr/local/bin/cryptodeps
# Windows (PowerShell)
Invoke-WebRequest -Uri "https://github.com/csnp/cryptodeps/releases/latest/download/cryptodeps-windows-amd64.exe" -OutFile "cryptodeps.exe"
Build from source
Requires Go 1.21+:
git clone https://github.com/csnp/cryptodeps.git
cd cryptodeps
go build -o cryptodeps ./cmd/cryptodeps
Quick start
# Analyze current directory
cryptodeps analyze .
# Analyze a specific project
cryptodeps analyze /path/to/project
# Analyze a GitHub repository directly
cryptodeps analyze hashicorp/vault
cryptodeps analyze https://github.com/golang-jwt/jwt
# Generate CBOM for compliance
cryptodeps analyze . --format cbom > crypto-bom.json
# CI/CD: Fail on quantum-vulnerable crypto
cryptodeps analyze . --fail-on vulnerable
Workspace & monorepo support
CryptoDeps automatically discovers all manifest files in workspace and monorepo setups. It handles npm/yarn workspaces, pnpm workspaces, and Go workspaces out of the box.
Supported workspace types
| Ecosystem | Config File | Detection |
|---|---|---|
| npm/yarn | package.json | workspaces field (array or object) |
| pnpm | pnpm-workspace.yaml | packages field |
| Go | go.work | use directives |
Multi-project output
When scanning a monorepo, CryptoDeps groups findings by project:
Scanning /Users/project/monorepo...
Found 3 projects:
- ./package.json (npm)
- ./apps/backend/go.mod (go)
- ./sdk/typescript/package.json (npm)
=== ./apps/backend (Go) ===
[*] Scanning go.mod... found 36 dependencies
🔴 Ed25519 VULNERABLE 1-2yr low
└─ golang.org/x/crypto@v0.31.0
=== ./sdk/typescript (npm) ===
[*] Scanning package.json... found 12 dependencies
🟢 No vulnerable crypto detected
══════════════════════════════════════════════════════════════════════════════
TOTAL: 3 projects | 51 deps | 3 with crypto | 1 vulnerable
cryptodeps analyze . --no-workspaces
Reachability analysis
CryptoDeps goes beyond simple dependency scanning by analyzing your code's call graph to determine which cryptographic algorithms are actually used.
How it works
- Parses your source code: Builds an AST of your Go files
- Identifies entry points: main(), init(), exported functions
- Traces call paths: Follows function calls to crypto imports
- Classifies reachability: Marks each crypto usage as CONFIRMED, REACHABLE, or AVAILABLE
Reachability levels
| Level | Meaning | Action |
|---|---|---|
| CONFIRMED | Your code directly calls this crypto | Immediate remediation required |
| REACHABLE | In call graph from your code | Monitor and plan migration |
| AVAILABLE | In dependency but not called | Lower priority (future planning) |
Sample output with reachability
[*] Scanning go.mod... found 36 dependencies
[!] CONFIRMED - Actually used by your code (requires action):
──────────────────────────────────────────────────────────────────────────────
🔴 Ed25519 VULNERABLE 1-2yr low
└─ golang.org/x/crypto@v0.31.0
> Called from: application.AgentService.CreateAgent
> Called from: crypto.ED25519Service.Sign
🟡 HS256 PARTIAL - low
└─ github.com/golang-jwt/jwt/v5@v5.3.0
> Called from: auth.JWTService.GenerateAccessToken
🟢 bcrypt SAFE - -
└─ golang.org/x/crypto@v0.31.0
> Called from: auth.HashPassword
══════════════════════════════════════════════════════════════════════════════
SUMMARY: 36 deps | 2 with crypto | 8 vulnerable | 2 partial
REACHABILITY: 3 confirmed | 0 reachable | 11 available-only
cryptodeps analyze . --reachability=false
Output formats
Table (default)
Human-readable terminal output with colors and formatting:
cryptodeps analyze .
JSON
Machine-readable output for automation:
cryptodeps analyze . --format json
cryptodeps analyze . --format json | jq '.dependencies[] | select(.analysis.crypto != null)'
CycloneDX CBOM
Cryptographic Bill of Materials for compliance (OMB M-23-02, CNSA 2.0):
cryptodeps analyze . --format cbom > crypto-bom.json
SARIF
GitHub Security tab integration:
cryptodeps analyze . --format sarif > results.sarif
Markdown
Documentation and reports:
cryptodeps analyze . --format markdown > crypto-report.md
Quantum risk classification
| Risk | Quantum Threat | Examples |
|---|---|---|
| VULNERABLE | Completely broken by Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
| PARTIAL | Security reduced by Grover's algorithm (halved key strength) | AES-128, SHA-256, HMAC-SHA256 |
| SAFE | Maintains security against known quantum attacks | AES-256, SHA-384+, ChaCha20, Argon2 |
CNSA 2.0 compliance timeline
| Timeline | Requirement |
|---|---|
| 2025 | Begin hybrid implementations |
| 2027 | Complete hybrid transition for key establishment |
| 2030 | Complete migration to pure PQC |
| 2033 | Sunset classical algorithms |
Remediation guidance
CryptoDeps provides intelligent, context-aware remediation recommendations:
For JWT algorithms
| Current | Recommendation |
|---|---|
| RS256/RS384/RS512 | Wait for PQ-JWT standards; use HS256/HS512 if symmetric is acceptable |
| ES256/ES384/ES512 | Same, ECDSA is quantum-vulnerable |
| HS256 | Adequate for most use cases; optionally upgrade to HS512 |
| HS512 | Already quantum-safe, no action needed |
For signatures
| Current | Recommendation | NIST Standard |
|---|---|---|
| RSA | Migrate to ML-DSA | FIPS 204 |
| ECDSA | Migrate to ML-DSA | FIPS 204 |
| Ed25519 | Plan migration to ML-DSA; prioritize long-lived signatures | FIPS 204 |
Recommended PQC libraries
| Ecosystem | Library |
|---|---|
| Go | github.com/cloudflare/circl |
| JavaScript/npm | @noble/post-quantum |
| Python | pqcrypto, liboqs-python |
| Java | org.bouncycastle:bcprov-jdk18on |
CI/CD integration
GitHub Actions
name: Quantum Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
security-events: write
contents: read
jobs:
cryptodeps:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.22'
- name: Install CryptoDeps
run: |
git clone --depth 1 https://github.com/csnp/cryptodeps.git
cd cryptodeps && go build -o /usr/local/bin/cryptodeps ./cmd/cryptodeps
- name: Run Crypto Analysis
run: cryptodeps analyze . --format sarif > cryptodeps.sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: cryptodeps.sarif
- name: Fail on Vulnerable Crypto
run: cryptodeps analyze . --fail-on vulnerable
Exit codes
| Code | Meaning | Trigger |
|---|---|---|
| 0 | Success | No findings matching --fail-on threshold |
| 1 | Vulnerable | Quantum-vulnerable crypto detected |
| 2 | Error | Analysis failed (invalid manifest, network error) |
| 3 | Partial | Partial-risk crypto detected (with --fail-on partial) |
Command reference
USAGE:
cryptodeps <command> [flags]
COMMANDS:
analyze Analyze project dependencies for cryptographic usage
update Download latest crypto knowledge database
status Show database statistics and cache info
version Print version information
ANALYZE FLAGS:
-f, --format string Output format: table, json, cbom, sarif, markdown (default "table")
--fail-on string Fail threshold: vulnerable, partial, any, none (default "vulnerable")
--reachability Analyze call graph for actual crypto usage (default true, Go only)
--no-workspaces Disable workspace discovery, scan only the specified manifest
--deep Force AST analysis for packages not in database
--offline Use only local database, skip auto-updates
--risk string Filter by risk: vulnerable, partial, all
--min-severity string Minimum severity to report
EXAMPLES:
cryptodeps analyze . # Analyze current directory (all workspaces)
cryptodeps analyze . --no-workspaces # Single manifest only
cryptodeps analyze ./go.mod # Specific manifest
cryptodeps analyze hashicorp/vault # GitHub repository
cryptodeps analyze . --format cbom # Generate CBOM
cryptodeps analyze . --fail-on vulnerable # CI/CD gate
cryptodeps analyze . --reachability=false # Skip call graph analysis
cryptodeps update # Update crypto database
Ready to secure your dependencies?
Stop guessing. Know precisely where your quantum risk lies. CryptoDeps is free, open source, and takes just minutes to set up.
View on GitHub Take QRAMM AssessmentRelated resources
- CryptoScan Guide - Discover crypto in your source code
- Cryptographic Inventory Guide - Best practices for maintaining crypto inventories
- Quantum Risk Management - Framework for assessing quantum threats
- Harvest Now, Decrypt Later - Understanding the HNDL threat
- Algorithm Selection Guide - Choosing the right algorithms by use case