Skip to main content

Worked Examples

Two synthetic end-to-end examples of running pqc-check and producing an OMB M-23-02 PDF report. Agency and system names are fictional samples for illustration; the reports were generated with --reproducible, so re-running pqc-check on the same input yields a byte-identical file.

info

These examples illustrate the tool's output. They are not real agency reports and are not a compliance accreditation.

Example 1 — Customer Auth Service (single-language)

Scenario. A team owns a Python authentication service and needs to inventory its quantum-vulnerable cryptography for an OMB M-23-02 submission.

Scan.

pqc-check scan ./auth-service --format pdf-report --reproducible \
--agency "Department of Examples (sample)" --system "Customer Auth Service"

Findings. RSA-2048 key generation (HIGH, harvest-now-decrypt-later) and an ECDSA P-256 signing key (MEDIUM) — both flagged with file:line locations, ranked by migration priority, and mapped to PQC targets (RSA → ML-KEM-1024, ECDSA → ML-DSA-87).

📄 Download the report (PDF)

Example 2 — Patient Records Gateway (multi-language)

Scenario. A health agency runs a gateway with code in JavaScript, Go, and Python. It needs a single cryptographic inventory spanning all three.

Scan.

pqc-check scan ./records-gateway --format pdf-report --reproducible \
--agency "State Health Agency (sample)" --system "Patient Records Gateway"

Findings. Four quantum-vulnerable usages across the three languages — RSA-4096 key generation and an ECDH P-256 exchange (JavaScript), an ECDSA P-256 signing key (Go), and Diffie-Hellman 2048 parameters (Python). Key-establishment and encryption findings are ranked above signing in the migration-priority section, reflecting their harvest-now-decrypt-later exposure.

📄 Download the report (PDF)

Reproduce these yourself

Each report embeds a CycloneDX 1.6 CBOM (appendix) and records its SHA-256 in the methodology section. Generate the machine-readable inventory directly with:

pqc-check scan ./your-project --format cyclonedx-cbom --reproducible > cbom.json

See Output Formats and the OMB M-23-02 report reference for details.