quantumscan-io/scanner-core

# scanner-core [](https://github.com/quantumscan-io/scanner-core/actions/workflows/ci.yml) [](LICENSE) [](https://www.npmjs.com/package/quantumscan) [](#compliance) [](#compliance) [](#compliance) [](https://github.com/quantumscan-io/scanner-core/stargazers) ## Quick start No install required. Run directly with npx: npx quantumscan . # scan current directory npx quantumscan ./src # scan specific path npx quantumscan . --json # JSON output for CI/CD npx quantumscan . --sarif # SARIF 2.1.0 output (GitHub Security tab) npx quantumscan . --badge # print README badge markdown npx quantumscan . --no-deps # skip dependency scanning npx quantumscan . --no-fail # exit 0 even with findings Example output: QuantumScan v1.0.0 Post-Quantum Cryptography Scanner https://quantumscan.io ────────────────────────────────────────────────────────── Path /your/project Files 312 total · 87 scannable 🔴 CRITICAL 3 findings auth/session.js:14 MD5 `md5(` lib/crypto.js:88 AES-ECB `AES/ECB/` config/tls.js:5 TLS 1.0 `TLSv1.0` 🟠 HIGH 5 findings auth/jwt.js:22 RSA `RSA.generate(` lib/keys.js:41 ECDSA `ECDSA` ... ────────────────────────────────────────────────────────── Risk Score 68/100 High Risk Migrate to: ML-KEM (FIPS 203) · ML-DSA (FIPS 204) Required by NIST, DORA, NIS2, CNSA 2.0 — deadline 2030. Full AI analysis + migration guides → https://quantumscan.io ## Suppressing false positives Add `// quantumscan-ignore` (or `# quantumscan-ignore` for Python/Ruby) to the end of a line, or on the line before it, to suppress that specific finding: # This constant is only used in validation tests — not a real crypto call REJECTED_ALGO = "RS256" # quantumscan-ignore # Or suppress the next line: # quantumscan-ignore legacy_hash = hashlib.sha1(nonce) # test vector, no security impact Works in all supported languages. One suppression per line — does not disable the whole file. ## Dependency scanning scanner-core automatically scans your package manifests for dependencies that use quantum-vulnerable cryptography: | Manifest | Ecosystem | |---|---| | `package.json` | npm | | `requirements.txt` | Python / pip | | `go.mod` | Go modules | | `Cargo.toml` | Rust / crates.io | | `pom.xml` | Java / Maven | Example output: 📦 DEPENDENCIES 3 vulnerable package(s) package.json elliptic Elliptic curve crypto (secp256k1, P-256) → ml-kem / ml-dsa requirements.txt ecdsa==0.19.0 Pure ECDSA — named after the broken algo → pqcrypto (dilithium) To skip dependency scanning: `npx quantumscan . --no-deps` ## SARIF output (GitHub Security tab) Use `--sarif` to output [SARIF 2.1.0](https://sarifweb.azurewebsites.net/) format — the standard consumed by GitHub Security, GitLab SAST, VS Code, and most DevSecOps pipelines: npx quantumscan . --sarif > results.sarif **GitHub Actions integration** — upload to Security tab: - name: Scan for quantum-vulnerable crypto run: npx quantumscan . --sarif --no-fail > results.sarif - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif After the workflow runs, findings appear under **Security → Code scanning** in your repository. ## Add a badge to your repo Show your quantum-safety score directly in your README. The badge auto-updates every time you run a cloud scan at [quantumscan.io](https://quantumscan.io). **Option 1 — Auto-generate from CLI (detects your GitHub remote):** npx quantumscan . --badge Outputs: README badge (add to your README.md): [](https://quantumscan.io/en/scan) **Option 2 — Manually:** [](https://quantumscan.io) ## Real-world scans — 2026-05-29 batch | Repository | Platform | Risk Score | Key Finding | |---|---|---|---| | [tlsfuzzer/python-ecdsa](https://quantumscan.io/en/share/b8debd2c-8af8-4052-ab24-134fe4b348a8) | GitHub | **95/100** | 171 ECDSA patterns · 9 critical SHA-1 usages | | [bitcoin/bitcoin](https://quantumscan.io/en/share/12c86aea-2652-455f-ae23-958cd92fc714) | GitHub | **89/100** | secp256k1 ECDSA in every transaction | | [bcgit/bc-java](https://quantumscan.io/en/share/17ba30c8-d148-4f89-bcdd-8fbdc9fee588) | GitHub | **78/100** | #1 Java crypto library | | [gnutls/gnutls](https://quantumscan.io/en/share/ef777d8a-eeae-4870-bf04-c4688e4e7804) | GitLab | **78/100** | Linux TLS stack | | [hashicorp/vault](https://quantumscan.io/en/share/6184cf79-9dfa-4556-b524-e4789382bced) | GitHub | **73/100** | Enterprise secrets manager | | [jpadilla/pyjwt](https://quantumscan.io/en/share/740a40df-fd8e-4700-befb-a422b3b1e69e) | GitHub | **72/100** | 36M+ PyPI downloads/month | | [oscrypto](https://quantumscan.io/en/share/065d3505-e0ca-4e8b-9fcd-99a672e2f4fa) | ZIP | **72/100** | OS crypto bindings | | [paragonie/halite](https://quantumscan.io/en/share/0477e2a0-6a41-45e7-9c9b-37fc711b1295) | GitHub | 72/100 | PHP high-level crypto | | [curl/curl](https://quantumscan.io/en/share/8ac0abfb-e26d-4988-843b-5a6a0e5a776a) | GitHub | 12/100 | Mostly clean | | spring-projects/spring-security | GitHub | 8/100 | Low exposure | | inkscape/inkscape | GitLab | 8/100 | Low exposure | | libvirt/libvirt · dolfin (Bitbucket) | GitLab/BB | 0/100 | Clean | → [Full leaderboard: quantumscan.io/leaderboard](https://quantumscan.io/leaderboard) ## What this is `scanner-core` is the open-source detection engine behind [QuantumScan](https://quantumscan.io). The core scanner is released as MIT-licensed open source so that: - **Customers can audit it.** Compliance teams (banks, fintechs, govtech) can read every line, fork it, and verify that the binary running in their CI matches the published source. - **The scan can run client-side.** The same engine runs inside the user's GitHub Actions runner — source code never leaves the customer's infrastructure. - **The community can extend it.** Detection patterns, language support, and PQC mapping rules evolve with public review and contribution. The hosted SaaS, dashboard, and customer-facing reports live in a separate (private) repository. This repository contains only the detection engine. ## What it detects | Severity | Examples | |---|---| | **CRITICAL** | TLS < 1.2, SSLv3, MD5, SHA1, DES, 3DES, RC4, RSA < 2048 | | **HIGH** (quantum-vulnerable) | RSA, ECDSA, ECDH, DSA, DH, NIST P-256/384/521, secp curves, Curve25519, X25519, Ed25519 | | **MEDIUM** | AES-128, OpenSSL < 1.1, CBC mode | | **LOW** | HMAC-SHA1, hardcoded keys in string literals | For each finding, the engine maps a recommended NIST PQC standardized alternative: - **ML-KEM** (FIPS 203) — key encapsulation - **ML-DSA** (FIPS 204) — digital signatures - **SLH-DSA** (FIPS 205) — hash-based signature fallback ## Languages supported TypeScript / JavaScript · Python · Go · Java · Kotlin · Swift · Rust · C / C++ · C# / .NET · Ruby · PHP ## Roadmap Contributions wanted: - Language patterns: Go (`crypto/rsa`, `x/crypto`), Java (Bouncy Castle, `javax.crypto`) - LATAM compliance mappings: BACEN 4.658, LGPD Art. 46, SFC Colombia, CNBV Mexico Open an issue with label `language-patterns` or `compliance-mapping` to start. ## Compliance - **DORA** — Article 50 cryptographic risk management - **NIS2** — EU Network and Information Systems Directive - **NIST PQC** — FIPS 203/204/205 - **ISO 27001** — Annex A.10 (cryptographic controls) - **SOC 2** — CC6.7 ## License ## Links - **Website:** [quantumscan.io](https://quantumscan.io) - **Ko-fi:** [ko-fi.com/quantumscan](https://ko-fi.com/quantumscan) - **LinkedIn:** [linkedin.com/company/quantumscan](https://linkedin.com/company/quantumscan) - **Org:** [github.com/quantumscan-io](https://github.com/quantumscan-io)

标签：自定义脚本