Skip to main content

Output Formats

Select a format with --format:

pqc-check ./my-project --format <console|json|sarif|cyclonedx-cbom|pdf-report>

Console (default)

Human-readable, colored output grouped by risk. Use --show-low to include LOW findings and --quiet for CI-friendly output without the banner.

pqc-check ./my-project
pqc-check ./my-project --quiet --show-low

Exit codes: 1 if any HIGH or MEDIUM findings, 0 otherwise, 2 on error.

JSON

Stable machine-readable output for scripting and custom integrations.

pqc-check ./my-project --format json > findings.json

SARIF 2.1.0

SARIF is the OASIS standard for static analysis output. Pipe it straight into GitHub Code Scanning:

# .github/workflows/pqc-check.yml
- run: npx pqc-check . --format sarif > pqc-results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pqc-results.sarif

Each finding maps to a SARIF result with a ruleId, risk-mapped level (HIGH→error, MEDIUM→warning, LOW→note), and a source physicalLocation.

CycloneDX CBOM

--format cyclonedx-cbom emits a CycloneDX 1.6 Cryptographic Bill of Materials (CBOM) aligned to NIST IR 8413 — the cryptographic-inventory format federal agencies use to satisfy OMB M-23-02.

pqc-check ./my-project --format cyclonedx-cbom > cbom.json

Each finding becomes a cryptographic-asset component:

{
"bomFormat": "CycloneDX", "specVersion": "1.6",
"components": [{
"type": "cryptographic-asset",
"name": "RSA-2048",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "pke",
"cryptoFunctions": ["keygen"],
"parameterSetIdentifier": "2048",
"nistQuantumSecurityLevel": 0
}
},
"evidence": { "occurrences": [{ "location": "src/auth.py:4:7" }] }
}]
}

Every flagged algorithm is quantum-vulnerable, so nistQuantumSecurityLevel is 0 for all emitted assets.

PDF report

--format pdf-report generates a federal-reporting-ready PDF structured around the seven OMB M-23-02 sections. See the dedicated OMB M-23-02 PDF Report page.

pqc-check ./my-project --format pdf-report \
--agency "Department of Examples" --system "Auth Service" > report.pdf

Reproducible output

--reproducible makes pdf-report and cyclonedx-cbom byte-identical for the same scan (it fixes PDF metadata dates + file ID, derives the CBOM serial from content, and omits all wall-clock timestamps) — useful for CI diffing and federal review.

pqc-check ./my-project --format pdf-report --reproducible --agency A --system B > report.pdf