Scan your code for quantum-vulnerable cryptography

pqaudit is a free, open-source CLI that detects RSA, ECDSA, Ed25519, ECDH, and other algorithms broken by quantum computers — and tells you the exact NIST-approved replacement for each one.

$ npx pqaudit .
View on GitHub Documentation

Free. Open source. MIT licensed. No signup required.

Detect quantum-vulnerable algorithms in seconds

pqaudit scans source code and npm dependencies, classifies findings by severity, and outputs actionable migration guidance.

Features

Scan codebases and dependencies

Detects RSA, ECDSA, Ed25519, ECDH, DH, DSA, AES-128, and other quantum-vulnerable algorithms across source code and npm package dependencies.

CycloneDX CBOM and SARIF output

Generate a Cryptographic Bill of Materials (CycloneDX 1.6) or SARIF for GitHub Code Scanning. Integrates with any CI/CD pipeline.

NIST-approved migration guidance

Every finding includes the recommended PQC replacement per NIST standards: ML-KEM-768 (FIPS 203) for key exchange, ML-DSA-65 (FIPS 204) for signatures, SLH-DSA (FIPS 205) for hash-based signatures.

The post-quantum migration window is closing

NIST finalizes ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) as post-quantum cryptography standards.
Google demonstrates quantum factoring needs 20x fewer qubits than previously estimated. Bitcoin's ECDSA breakable in ~9 minutes with ~1,200 logical qubits. $600B+ in crypto assets at risk.
NSA CNSA 2.0 mandates post-quantum cryptography for all new national security systems. Government contractors must comply.
Google's self-imposed deadline for full PQC migration across all products and services.
All national security systems must be fully migrated to post-quantum cryptography. No exceptions.

"Harvest now, decrypt later" attacks mean your encrypted traffic is already being collected for future quantum decryption.

Find your quantum debt.

One command. Zero config. Instant results.

$ npx pqaudit .
Star on GitHub