CryptoScan Guide - Cryptographic Discovery for Quantum Readiness

Why Cryptographic Discovery Matters

The first step in any quantum readiness journey is understanding what cryptographic assets exist in your organization. You can't protect what you can't see.

The Harvest Now, Decrypt Later Threat Adversaries are actively collecting encrypted data today, waiting for quantum computers capable of breaking current encryption. Data with long-term sensitivity (health records, financial data, trade secrets) is particularly at risk.

Most organizations face significant challenges in cryptographic visibility:

Scattered implementations - Cryptography is embedded throughout codebases, configurations, and dependencies
Lack of documentation - Teams often don't document which algorithms and key sizes are used
Legacy systems - Older code may contain deprecated or weak cryptographic implementations
Third-party dependencies - Libraries and frameworks bring their own cryptographic choices

CryptoScan solves this by automatically scanning your codebase and producing a comprehensive inventory of all cryptographic assets, classified by quantum risk level.

What is CryptoScan

CryptoScan is an open-source cryptographic discovery tool designed for the post-quantum era. It scans codebases to identify cryptographic algorithms, keys, configurations, and dependencies.

50+ Detection Patterns

Detects RSA, ECDSA, AES, DES, MD5, SHA-1, TLS configurations, private keys, and more across multiple languages.

Quantum Risk Classification

Every finding is classified as Vulnerable, Partial Risk, Safe, or Unknown based on quantum threat level.

Multiple Output Formats

Generate reports in text, JSON, CSV, SARIF (for GitHub Security), and CBOM (Cryptographic Bill of Materials).

Remote Repository Scanning

Scan remote Git repositories directly by URL without cloning locally.

Getting Started

Installation

Install CryptoScan using Go:

# Install via Go
go install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest

# Or clone and build from source
git clone https://github.com/csnp/qramm-cryptoscan.git
cd qramm-cryptoscan
go build -o cryptoscan ./cmd/cryptoscan

Basic Usage

Scan a local directory:

# Scan current directory
cryptoscan scan .

# Scan a specific path
cryptoscan scan /path/to/your/project

# Scan a remote Git repository
cryptoscan scan https://github.com/org/repo.git

Common Options

# Focus on critical and high severity issues
cryptoscan scan . --min-severity high

# Output as JSON for automation
cryptoscan scan . --format json --output findings.json

# Generate SARIF for GitHub Security
cryptoscan scan . --format sarif --output results.sarif

# Generate Cryptographic Bill of Materials
cryptoscan scan . --format cbom --output crypto-bom.json

# Group findings by file
cryptoscan scan . --group-by file

# Show source code context
cryptoscan scan . --context 5

Understanding Quantum Risk Levels

CryptoScan classifies every cryptographic finding by its vulnerability to quantum attacks:

Risk Level	Meaning	Examples	Action Required
VULNERABLE	Broken by quantum computers using Shor's algorithm	RSA, ECDSA, DSA, DH, ECDH	Plan migration to PQC algorithms
PARTIAL	Weakened by Grover's algorithm; security effectively halved	AES-128, SHA-256	Double key sizes (AES-256)
SAFE	Quantum-resistant or already adequate	AES-256, SHA-384, SHA-512	No immediate action needed
UNKNOWN	Requires manual review	Custom implementations, unclear contexts	Investigate and classify

Why RSA is Vulnerable RSA's security relies on the difficulty of factoring large numbers. Shor's algorithm, running on a sufficiently powerful quantum computer, can factor these numbers efficiently, completely breaking RSA encryption and signatures regardless of key size.

Output Formats

SARIF (GitHub Security Integration)

SARIF (Static Analysis Results Interchange Format) integrates directly with GitHub's Security tab:

cryptoscan scan . --format sarif --output results.sarif

Upload to GitHub using the CodeQL action:

# .github/workflows/crypto-scan.yml
name: Crypto Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install CryptoScan
        run: go install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest

      - name: Run Scan
        run: cryptoscan scan . --format sarif --output results.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

CBOM (Cryptographic Bill of Materials)

Generate a CycloneDX-compatible CBOM for compliance and supply chain transparency:

cryptoscan scan . --format cbom --output crypto-bom.json

CBOMs are increasingly required for software supply chain compliance, particularly in government and regulated industries.

CI/CD Integration

Integrate CryptoScan into your CI/CD pipeline to catch cryptographic issues before they reach production:

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  crypto-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.21'

      - name: Install CryptoScan
        run: go install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest

      - name: Run CryptoScan
        run: cryptoscan scan . --min-severity high --format sarif --output crypto.sarif

      - name: Upload Results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: crypto.sarif

Pre-commit Hook

Catch issues before commit:

#!/bin/bash
# .git/hooks/pre-commit

cryptoscan scan . --min-severity critical
if [ $? -ne 0 ]; then
    echo "Critical cryptographic issues found. Please fix before committing."
    exit 1
fi

Best Practices

1. Start with Discovery

Run CryptoScan across your entire codebase to establish a baseline inventory. Don't try to fix everything at once - first understand what you have.

2. Prioritize by Risk

Focus on VULNERABLE findings first, particularly those in:

Authentication and authorization systems
Data encryption at rest and in transit
Digital signatures and certificate management
Key exchange mechanisms

3. Use Inline Ignores Sparingly

CryptoScan supports inline ignore comments for false positives:

// cryptoscan:ignore - This is test data, not a real key
key := "test-rsa-key-for-unit-tests"

Document why each ignore is added and review them periodically.

4. Integrate Early in Development

Add CryptoScan to your CI pipeline to catch issues before they accumulate. It's easier to fix one new issue than remediate hundreds of legacy findings.

5. Generate Regular Reports

Track your cryptographic posture over time:

# Generate weekly inventory
cryptoscan scan . --format cbom --output crypto-inventory-$(date +%Y%m%d).json

Ready to Discover Your Cryptographic Assets?

Get started with CryptoScan today - it's free, open source, and takes just minutes to set up.

View on GitHub Take QRAMM Assessment

Related Resources

Cryptographic Inventory Guide - Best practices for maintaining crypto inventories
Quantum Risk Management - Framework for assessing quantum threats
PQC Migration Planning - Planning your post-quantum migration
Harvest Now, Decrypt Later - Understanding the HNDL threat

CryptoScan: Cryptographic Discovery Guide