Introducing pqc-check: Find Quantum-Vulnerable Cryptography in Your Code

Quantum computers capable of breaking RSA and elliptic-curve cryptography are no longer a distant possibility. NIST finalized its first three post-quantum cryptography standards in August 2024, and the message is clear: start migrating now.

But before you can migrate, you need to know what to migrate. That's why we built pqc-check.

What is pqc-check?

pqc-check is a free, open-source CLI tool that scans your codebase for quantum-vulnerable cryptography. One command, zero configuration:

npx pqc-check .

It finds usages of RSA, ECDSA, ECDH, DH, Ed25519, and other algorithms that a sufficiently powerful quantum computer could break using Shor's algorithm.

Why Now?

The threat isn't just about when quantum computers arrive. It's about Harvest Now, Decrypt Later (HNDL): adversaries are already collecting encrypted data today, waiting to decrypt it once quantum hardware matures.

If your application handles data that needs to remain confidential for 5+ years (financial records, health data, government communications, trade secrets), the migration clock is already ticking.

NIST's recommendation is unambiguous: begin transitioning to post-quantum algorithms immediately.

What It Finds

pqc-check classifies every finding by quantum risk level:

Risk	What It Means	Examples
HIGH	Broken by quantum computers via HNDL attack	RSA encryption, ECDH key exchange, DH key agreement
MEDIUM	Signature forgery possible post-quantum	ECDSA, Ed25519, RSA signing
LOW	Weakened but not broken by quantum	SHA-256 (Grover's algorithm halves security bits), MD5 (already broken classically; further weakened by Grover)

9 Languages, 48 Patterns

pqc-check covers the languages and libraries developers actually use:

Python — cryptography, PyCryptodome, PyJWT
JavaScript/TypeScript — crypto, node-forge, jose
Go — crypto/rsa, crypto/ecdsa, crypto/elliptic
Java — javax.crypto, java.security, BouncyCastle
C/C++ — OpenSSL EVP_*, RSA_*, EC_*
Rust — ring, rsa, p256
Ruby — OpenSSL::PKey
PHP — openssl_* functions
Config files — SSH config, OpenSSL configs, nginx TLS settings

CI/CD Integration with SARIF

pqc-check outputs SARIF (Static Analysis Results Interchange Format), which means you can integrate it directly into GitHub Code Scanning:

# .github/workflows/pqc-check.yml
name: PQC Check
on: [push, pull_request]
 
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx pqc-check . --format sarif --output pqc-results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: pqc-results.sarif

Every quantum-vulnerable pattern shows up directly in your pull request reviews, with risk level and migration guidance.

Migration Guidance Built In

Every finding includes a suggested migration path. For example, when pqc-check finds RSA encryption, it suggests:

Migrate to ML-KEM-768 (Kyber768) — NIST FIPS 203. Use Qpher's KEM API or liboqs for a quantum-resistant alternative.

For ECDSA signatures:

Migrate to ML-DSA-65 (Dilithium3) — NIST FIPS 204. Qpher's Signature API handles key management automatically.

Get Started

Install globally or run with npx:

# Scan current directory
npx pqc-check .
 
# Scan with JSON output
npx pqc-check ./src --format json
 
# Scan with SARIF for CI/CD
npx pqc-check . --format sarif --output results.sarif

The tool is MIT-licensed and available on GitHub and npm.

✅ Already found vulnerabilities?

If pqc-check found quantum-vulnerable patterns in your code, Qpher provides post-quantum cryptography as simple REST APIs. Encrypt with ML-KEM-768 and sign with ML-DSA-65 without managing PQC infrastructure yourself.

What's Next

We're actively working on expanding pqc-check:

More patterns — Certificate pinning, TLS configuration, key derivation functions
Auto-fix suggestions — Generate migration diffs for common patterns
IDE integration — VS Code extension for real-time scanning

Star the repo on GitHub and join the discussion to share feedback or request features.