Open-source tool

pqc-audit

Scan any codebase for cryptographic primitives vulnerable to quantum attacks and get a concrete migration report. Zero dependencies, works on six languages, MIT-licensed.

Don't want to install? Try it in your browser.

Paste any code. Findings appear instantly. Your code never leaves the page.

Open the in-browser scanner →

Install & run (full-codebase walks, CI gating)

pip install pqc-audit
pqc-audit path/to/your/codebase

Pure Python stdlib, no runtime dependencies. Python 3.10+.

Sample output

======================================================================
POST-QUANTUM CRYPTOGRAPHIC AUDIT
======================================================================
Total findings: 14
  Shor-vulnerable: 11
  Grover-weakened:  3

----------------------------------------------------------------------
[SHOR-VULNERABLE]  11 finding(s)
----------------------------------------------------------------------

  RSA: 4 occurrences
    → Replace with ML-DSA-65 (signatures) or ML-KEM-768 (encryption).
    src/auth/keys.py:12  →  from cryptography.hazmat.primitives.asymmetric import rsa
    src/auth/certs.py:8  →  RSA_generate_key_ex(key, 2048, bn, NULL);
    config/server.crt:1  →  -----BEGIN RSA PRIVATE KEY-----

  ECDSA/ECDH: 5 occurrences
    → Replace with ML-DSA-65 + ML-KEM-768 (hybrid with X25519 during migration).
    api/session.js:42  →  crypto.generateKeyPairSync('ec', { namedCurve: 'P-256' });

What it finds

Shor-vulnerable (replace outright)

RSA (all key sizes)
ECDSA, ECDH, EdDSA
Ed25519 / Ed448 / X25519 / X448
Diffie-Hellman, DSA
PEM / certificate files with vulnerable keys

Grover-weakened (double the key size)

AES-128 — upgrade to AES-256
MD5 (already broken classically)
SHA-1 (already broken classically)

Languages covered

Python · JavaScript / TypeScript · Go · Rust · Java · C / C++
Plus config files: PEM, wrangler.toml, Cargo.toml, go.mod, package.json, nginx, Apache.

Gate your PRs

Use the included GitHub Action to block pull requests that introduce new quantum-vulnerable primitives:

- name: PQC audit
  run: |
    pip install pqc-audit
    pqc-audit --fail-on shor-vulnerable .

Go deeper

📖 Tutorial: Post-Quantum Cryptography Threat Model — the Shor/Grover threat model and NIST standardization.
📖 Tutorial: ML-KEM and ML-DSA in Practice — runnable Python + hybrid TLS 1.3 with OpenSSL 3.5.
📖 Tutorial: Auditing a Codebase for Y2Q Readiness — how the scanner works, every detection pattern explained, plus a client-ready migration report template.

Need help with a real migration?

The scanner is the starting point. A proper engagement includes risk prioritization, dependency mapping, performance measurement, hybrid-TLS rollout plans, and compliance-documentation updates.

For a 4-week audit engagement producing a CISO-ready migration plan, email [email protected].