Output Formats
Select a format with --format:
pqc-check ./my-project --format <console|json|sarif|cyclonedx-cbom|pdf-report>
Console (default)
Human-readable, colored output grouped by risk. Use --show-low to include LOW
findings and --quiet for CI-friendly output without the banner.
pqc-check ./my-project
pqc-check ./my-project --quiet --show-low
Exit codes: 1 if any HIGH or MEDIUM findings, 0 otherwise, 2 on error.
JSON
Stable machine-readable output for scripting and custom integrations.
pqc-check ./my-project --format json > findings.json
SARIF 2.1.0
SARIF is the OASIS standard for static analysis output. Pipe it straight into GitHub Code Scanning:
# .github/workflows/pqc-check.yml
- run: npx pqc-check . --format sarif > pqc-results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pqc-results.sarif
Each finding maps to a SARIF result with a ruleId, risk-mapped level
(HIGH→error, MEDIUM→warning, LOW→note), and a source physicalLocation.
CycloneDX CBOM
--format cyclonedx-cbom emits a CycloneDX 1.6 Cryptographic Bill of
Materials (CBOM) aligned to NIST IR 8413 — the cryptographic-inventory
format federal agencies use to satisfy OMB M-23-02.
pqc-check ./my-project --format cyclonedx-cbom > cbom.json
Each finding becomes a cryptographic-asset component:
{
"bomFormat": "CycloneDX", "specVersion": "1.6",
"components": [{
"type": "cryptographic-asset",
"name": "RSA-2048",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "pke",
"cryptoFunctions": ["keygen"],
"parameterSetIdentifier": "2048",
"nistQuantumSecurityLevel": 0
}
},
"evidence": { "occurrences": [{ "location": "src/auth.py:4:7" }] }
}]
}
Every flagged algorithm is quantum-vulnerable, so nistQuantumSecurityLevel is
0 for all emitted assets.
PDF report
--format pdf-report generates a federal-reporting-ready PDF structured around
the seven OMB M-23-02 sections. See the dedicated
OMB M-23-02 PDF Report page.
pqc-check ./my-project --format pdf-report \
--agency "Department of Examples" --system "Auth Service" > report.pdf
Reproducible output
--reproducible makes pdf-report and cyclonedx-cbom byte-identical for
the same scan (it fixes PDF metadata dates + file ID, derives the CBOM serial
from content, and omits all wall-clock timestamps) — useful for CI diffing and
federal review.
pqc-check ./my-project --format pdf-report --reproducible --agency A --system B > report.pdf