pqc-check
pqc-check is a free, open-source (MIT) command-line scanner that finds quantum-vulnerable cryptography — RSA, ECDSA/EdDSA, Diffie-Hellman, and weak hashes — in your source code, so you know what to migrate before a cryptographically relevant quantum computer exists.
npx pqc-check ./my-project
No install, no configuration, no account, and no network access — the detection ruleset is compiled into the binary.
- npm:
pqc-check - Source: github.com/qpher/pqc-check
- License: MIT
What it finds
pqc-check statically scans for cryptographic primitives that quantum computers will break, across 9 languages (Python, JavaScript/TypeScript, Go, Java, Rust, C/C++, Ruby, PHP, and config files):
| Category | Risk | Why |
|---|---|---|
| RSA key generation / encryption | HIGH | Harvest-now-decrypt-later — captured ciphertext is decryptable once a quantum computer exists |
| Diffie-Hellman / ECDH key exchange | HIGH | Same harvest-now-decrypt-later exposure |
| RSA / ECDSA / EdDSA signing | MEDIUM | Forgeable in the quantum era (not retroactively) |
| Weak / legacy hashes | LOW | Context-dependent |
Detection coverage varies by language and is not a guarantee of quantum-safety — it is an inventory aid.
Output formats
pqc-check produces both human- and machine-readable output, including formats built for federal cryptographic-inventory workflows:
| Format | Flag | Use case |
|---|---|---|
| Console | (default) | Human-readable, colored |
| JSON | --format json | Scripting / custom integrations |
| SARIF 2.1.0 | --format sarif | GitHub Code Scanning, IDE integration |
| CycloneDX CBOM | --format cyclonedx-cbom | Cryptographic Bill of Materials (CycloneDX 1.6 / NIST IR 8413) |
| PDF report | --format pdf-report | Federal reporting-ready PDF (OMB M-23-02 structure) |
See Output Formats for the full reference.
Built for migration planning
pqc-check is the first step in moving a system off quantum-vulnerable cryptography:
- Inventory — scan, and export a CycloneDX CBOM or an OMB M-23-02 PDF report.
- Prioritize — address key establishment and encryption before signing.
- Migrate — replace RSA / ECDH with ML-KEM-1024 and RSA / ECDSA with ML-DSA-87 (e.g. via the Qpher API).
- Verify — re-scan to confirm the findings are retired.
For classified / air-gapped environments, see Air-Gapped & Classified Networks.