{"id":34899421,"url":"https://github.com/csnp/qramm-cryptoscan","last_synced_at":"2026-01-13T20:59:00.564Z","repository":{"id":330514887,"uuid":"1122876300","full_name":"csnp/qramm-cryptoscan","owner":"csnp","description":"Cryptographic Discovery Scanner - Find every cryptographic algorithm in your codebase and now your quantum risk - part of the QRAMM Toolkit by CSNP","archived":false,"fork":false,"pushed_at":"2025-12-26T06:37:48.000Z","size":297,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-27T12:58:04.755Z","etag":null,"topics":["cbom","code-analysis","cryptography","golang","post-quantum-cryptography","pqc","quantum-computing","sarif","security"],"latest_commit_sha":null,"homepage":"https://qramm.org","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csnp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-25T18:01:11.000Z","updated_at":"2025-12-26T23:09:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/csnp/qramm-cryptoscan","commit_stats":null,"previous_names":["csnp/qramm-cryptoscan"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/csnp/qramm-cryptoscan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptoscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptoscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptoscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptoscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csnp","download_url":"https://codeload.github.com/csnp/qramm-cryptoscan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptoscan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28400345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cbom","code-analysis","cryptography","golang","post-quantum-cryptography","pqc","quantum-computing","sarif","security"],"created_at":"2025-12-26T08:28:21.072Z","updated_at":"2026-01-13T20:59:00.558Z","avatar_url":"https://github.com/csnp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eCryptoScan\u003c/h1\u003e\n\n\u003ch3 align=\"center\"\u003eCryptographic Discovery for the Post-Quantum Era\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eFind every cryptographic algorithm in your codebase. Know your quantum risk. Plan your migration.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/csnp/qramm-cryptoscan/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/csnp/qramm-cryptoscan/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/csnp/qramm-cryptoscan\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/csnp/qramm-cryptoscan?v=2\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://go.dev/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Go-1.21+-00ADD8?logo=go\u0026logoColor=white\" alt=\"Go Version\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#why-cryptoscan\"\u003eWhy CryptoScan\u003c/a\u003e •\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"https://qramm.org/learn/cryptoscan-guide.html\"\u003eFull Documentation\u003c/a\u003e •\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## The Quantum Computing Challenge\n\n**Quantum computers will break RSA, ECDSA, and Diffie-Hellman within the next decade.** This isn't speculation—the NSA, NIST, and major technology companies are already migrating to post-quantum cryptography (PQC).\n\nThe challenge? **You can't migrate what you can't find.**\n\nMost organizations have no visibility into which cryptographic algorithms are used across their codebases, configurations, and dependencies. CryptoScan solves this by providing a complete cryptographic inventory in seconds—with full source code context so you know exactly what needs to change and where.\n\n## Why CryptoScan\n\nCryptoScan is purpose-built for quantum readiness assessment:\n\n| Capability | CryptoScan | grep/ripgrep | Commercial Tools |\n|------------|:----------:|:------------:|:----------------:|\n| Remote Git URL scanning | **Yes** | No | Some |\n| Source code context | **Yes** | No | Rarely |\n| Quantum risk classification | **Yes** | No | Some |\n| Context-aware confidence | **Yes** | No | Varies |\n| CBOM output | **Yes** | No | Rarely |\n| SARIF for GitHub Security | **Yes** | No | Yes |\n| Inline ignore comments | **Yes** | No | Some |\n| Migration guidance | **Yes** | No | Varies |\n| Dependency scanning | **Yes** | No | Some |\n| Open source | **Yes** | Yes | No |\n| Price | **Free** | Free | $$$$ |\n\n### What These Capabilities Mean\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eClick to expand capability descriptions\u003c/strong\u003e\u003c/summary\u003e\n\n**Remote Git URL scanning** — Scan any public or private Git repository directly by URL without cloning it first. Just run `cryptoscan scan https://github.com/org/repo.git` and get results immediately.\n\n**Source code context** — Every finding includes the 3 lines before and after the match, so you can immediately understand the context without opening the file. Know if it's in a comment, test, or production code at a glance.\n\n**Quantum risk classification** — Each finding is tagged with its quantum computing threat level: VULNERABLE (broken by Shor's algorithm), PARTIAL (weakened by Grover's algorithm), SAFE (quantum-resistant), or UNKNOWN. This tells you exactly what needs to migrate first.\n\n**Context-aware confidence** — Not all matches are equal. CryptoScan reduces confidence for findings in comments, documentation, log messages, and test files. High-confidence findings in production code are prioritized over low-confidence matches in docs.\n\n**CBOM output** — Generate a Cryptographic Bill of Materials—a machine-readable inventory of all cryptographic algorithms in your codebase. Required for federal compliance (OMB M-23-02) and essential for tracking quantum migration progress.\n\n**SARIF for GitHub Security** — Output findings in SARIF format for direct integration with GitHub Code Scanning. See cryptographic issues as security alerts in your pull requests and repository Security tab.\n\n**Inline ignore comments** — Suppress false positives directly in your code with `// cryptoscan:ignore`. No need to maintain separate exclusion files or configure complex ignore rules.\n\n**Migration guidance** — Every finding includes specific remediation advice: which NIST PQC algorithm to migrate to (ML-KEM, ML-DSA, SLH-DSA), links to standards, and effort estimates.\n\n**Dependency scanning** — Scans package manifests (package.json, go.mod, requirements.txt, pom.xml, etc.) to identify crypto libraries in your dependencies. Covers 20+ package manager formats.\n\n\u003c/details\u003e\n\n## Quick Start\n\n### Installation\n\n#### Option 1: Build from Source\n\nRequires **Go 1.21+** ([install Go](https://go.dev/dl/))\n\nCopy and paste this entire block:\n\n```bash\ngit clone https://github.com/csnp/qramm-cryptoscan.git\ncd qramm-cryptoscan\ngo build -o cryptoscan ./cmd/cryptoscan\nsudo mv cryptoscan /usr/local/bin/\ncd .. \ncryptoscan --version\n```\n\n#### Option 2: Go Install\n\nFor Go developers:\n\n```bash\ngo install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest\n```\n\n#### Option 3: Download Binary\n\nDownload pre-built binaries from [GitHub Releases](https://github.com/csnp/qramm-cryptoscan/releases/latest).\n\n### Basic Usage\n\n```bash\n# Scan a local directory\ncryptoscan scan .\n\n# Scan a remote Git repository\ncryptoscan scan https://github.com/your-org/your-repo.git\n\n# Output to JSON for automation\ncryptoscan scan . --format json --output findings.json\n\n# Generate SARIF for GitHub Security integration\ncryptoscan scan . --format sarif --output results.sarif\n```\n\n### Try It Out\n\nThis repository includes sample cryptographic code for testing:\n\n```bash\n# Clone and build\ngit clone https://github.com/csnp/qramm-cryptoscan.git\ncd qramm-cryptoscan\ngo build -o cryptoscan ./cmd/cryptoscan\n\n# Scan the sample files (Go, Python, Java)\n./cryptoscan scan ./crypto-samples\n\n# Expected: ~35 findings showing various crypto patterns\n# - Quantum vulnerable: RSA, ECDSA, Ed25519\n# - Broken/weak: MD5, SHA-1, DES, 3DES\n# - With source context and remediation guidance\n```\n\n## Features\n\n### Comprehensive Detection\n\nCryptoScan identifies cryptographic usage across your entire technology stack:\n\n| Category | What We Detect |\n|----------|----------------|\n| **Asymmetric Encryption** | RSA (all key sizes), ECDSA, DSA, DH, ECDH, Ed25519, X25519 |\n| **Symmetric Encryption** | AES (CBC, GCM, ECB, CTR), DES, 3DES, RC4, Blowfish, ChaCha20 |\n| **Hash Functions** | MD5, SHA-1, SHA-2 (256/384/512), SHA-3, BLAKE2, RIPEMD |\n| **TLS/SSL** | Protocol versions, cipher suites, weak configurations |\n| **Key Material** | Private keys (RSA, EC, SSH, PGP, PKCS#8), JWT secrets, HMAC keys |\n| **Cloud KMS** | AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault |\n| **Dependencies** | Crypto libraries across 20+ package managers |\n| **Configurations** | Hardcoded key sizes, algorithm selections, TLS settings |\n\n**[50+ detection patterns](PATTERNS.md)** with context-aware confidence scoring to minimize false positives.\n\n### Quantum Risk Classification\n\nEvery finding is classified by quantum computing threat level:\n\n| Risk Level | Meaning | Threat | Recommended Action |\n|------------|---------|--------|-------------------|\n| **VULNERABLE** | Broken by quantum computers | Shor's algorithm | Migrate to PQC now |\n| **PARTIAL** | Security reduced by quantum | Grover's algorithm | Increase key sizes |\n| **SAFE** | Quantum-resistant | N/A | No action needed |\n| **UNKNOWN** | Cannot determine | Unknown | Manual review required |\n\n### Context-Aware Analysis\n\nCryptoScan goes beyond simple pattern matching:\n\n- **Source code context**: See 3 lines before and after each finding\n- **Confidence scoring**: Findings in comments, logs, or docs are marked low confidence\n- **File type awareness**: Different severity for code vs. test vs. documentation\n- **Language detection**: 15+ programming languages recognized\n- **Noise reduction**: Automatically filters minified files, lock files, and build artifacts\n\n### Multiple Output Formats\n\n```bash\n# Human-readable text (default)\ncryptoscan scan .\n\n# JSON for automation and integration\ncryptoscan scan . --format json --output findings.json\n\n# CSV for spreadsheet analysis\ncryptoscan scan . --format csv --output findings.csv\n\n# SARIF for GitHub Code Scanning\ncryptoscan scan . --format sarif --output results.sarif\n\n# CBOM (Cryptographic Bill of Materials) for compliance\ncryptoscan scan . --format cbom --output crypto-bom.json\n```\n\n## Documentation\n\n\u003e **Full Documentation**: For comprehensive guides, tutorials, and examples, visit **[qramm.org/learn/cryptoscan-guide](https://qramm.org/learn/cryptoscan-guide.html)**\n\n### CLI Reference\n\n```\ncryptoscan scan [path] [flags]\n\nArguments:\n  path    Local directory, file, or Git URL to scan (default: current directory)\n\nFlags:\n  -f, --format string       Output format: text, json, csv, sarif, cbom (default \"text\")\n  -o, --output string       Output file path (default: stdout)\n  -i, --include string      File patterns to include (comma-separated globs)\n  -e, --exclude string      File patterns to exclude (comma-separated globs)\n  -d, --max-depth int       Maximum directory depth (0 = unlimited)\n  -g, --group-by string     Group output by: file, severity, category, quantum\n  -c, --context int         Lines of source context to show (default 3)\n  -p, --progress            Show scan progress indicator\n      --min-severity string Minimum severity to report: info, low, medium, high, critical\n      --no-color            Disable colored output\n      --pretty              Pretty print JSON output\n  -h, --help                Show help\n```\n\n### Common Workflows\n\n```bash\n# Focus on high-priority issues only\ncryptoscan scan . --min-severity high\n\n# Scan and group findings by file for review\ncryptoscan scan . --group-by file\n\n# Scan only specific file types\ncryptoscan scan . --include \"*.go,*.py,*.java,*.js,*.ts\"\n\n# Exclude vendor and test directories\ncryptoscan scan . --exclude \"vendor/*,node_modules/*,*_test.go\"\n\n# CI/CD: Fail if critical issues found\ncryptoscan scan . --min-severity critical --format json | jq '.findings | length'\n```\n\n### Suppressing False Positives\n\nUse inline comments to suppress findings that are intentional or not applicable:\n\n```go\n// Suppress a specific line\nkey := rsa.GenerateKey(rand.Reader, 2048) // cryptoscan:ignore\n\n// Suppress the next line\n// cryptoscan:ignore-next-line\nlegacyKey := oldCrypto.NewKey()\n```\n\nSupported directives:\n- `cryptoscan:ignore` — Ignore finding on this line\n- `cryptoscan:ignore-next-line` — Ignore finding on the following line\n- `crypto-scan:ignore` — Alternative format\n- `noscan` — Quick ignore\n\n### CI/CD Integration\n\n#### GitHub Actions with SARIF\n\n```yaml\n# .github/workflows/crypto-scan.yml\nname: Cryptographic Security Scan\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  crypto-scan:\n    runs-on: ubuntu-latest\n    permissions:\n      security-events: write\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Set up Go\n        uses: actions/setup-go@v5\n        with:\n          go-version: '1.21'\n\n      - name: Install CryptoScan\n        run: go install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest\n\n      - name: Run Scan\n        run: cryptoscan scan . --format sarif --output results.sarif\n\n      - name: Upload SARIF to GitHub Security\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: results.sarif\n```\n\n#### GitLab CI\n\n```yaml\ncrypto-scan:\n  stage: security\n  image: golang:1.21\n  script:\n    - go install github.com/csnp/qramm-cryptoscan/cmd/cryptoscan@latest\n    - cryptoscan scan . --format json --output crypto-findings.json\n  artifacts:\n    reports:\n      sast: crypto-findings.json\n    paths:\n      - crypto-findings.json\n```\n\n#### Pre-commit Hook\n\n```bash\n#!/bin/bash\n# .git/hooks/pre-commit\n\nif command -v cryptoscan \u0026\u003e /dev/null; then\n    cryptoscan scan . --min-severity critical --format text\n    if [ $? -ne 0 ]; then\n        echo \"Critical cryptographic issues found. Commit blocked.\"\n        exit 1\n    fi\nfi\n```\n\n### Output Formats Explained\n\n#### SARIF (Static Analysis Results Interchange Format)\n\nSARIF output integrates with GitHub Code Scanning, VS Code SARIF Viewer, and other security tools:\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\",\n  \"version\": \"2.1.0\",\n  \"runs\": [{\n    \"tool\": {\n      \"driver\": {\n        \"name\": \"CryptoScan\",\n        \"informationUri\": \"https://github.com/csnp/qramm-cryptoscan\"\n      }\n    },\n    \"results\": [...]\n  }]\n}\n```\n\n#### CBOM (Cryptographic Bill of Materials)\n\n**What is CBOM?** Just as an SBOM (Software Bill of Materials) inventories your software dependencies, a CBOM inventories all cryptographic algorithms, keys, and certificates in your systems. It answers: \"What cryptography are we using, where, and is it quantum-safe?\"\n\n**Why it matters:**\n- **Compliance**: Required by emerging regulations (OMB M-23-02, NIST guidelines) for federal contractors and regulated industries\n- **Visibility**: Single source of truth for all cryptographic assets across your organization\n- **Migration Planning**: Identifies exactly what needs to change for post-quantum readiness\n- **Audit Trail**: Documented evidence of cryptographic posture for security assessments\n\n```json\n{\n  \"bomFormat\": \"CryptoBOM\",\n  \"specVersion\": \"1.0\",\n  \"serialNumber\": \"urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79\",\n  \"timestamp\": \"2025-01-15T10:30:00Z\",\n  \"components\": [\n    {\n      \"type\": \"algorithm\",\n      \"name\": \"RSA-2048\",\n      \"category\": \"asymmetric\",\n      \"quantumSafe\": false,\n      \"occurrences\": 12,\n      \"locations\": [\"src/auth/jwt.go:45\", \"src/tls/config.go:23\"]\n    },\n    {\n      \"type\": \"algorithm\",\n      \"name\": \"AES-256-GCM\",\n      \"category\": \"symmetric\",\n      \"quantumSafe\": true,\n      \"occurrences\": 8,\n      \"locations\": [\"src/crypto/encrypt.go:67\"]\n    }\n  ],\n  \"summary\": {\n    \"totalAlgorithms\": 15,\n    \"quantumVulnerable\": 7,\n    \"quantumSafe\": 8\n  }\n}\n```\n\n### Architecture\n\n```\nqramm-cryptoscan/\n├── cmd/cryptoscan/      # CLI entry point\n├── internal/cli/        # Command implementations\n├── pkg/\n│   ├── analyzer/        # File context and line analysis\n│   ├── patterns/        # Cryptographic pattern definitions (50+)\n│   ├── reporter/        # Output formatters (text, json, csv, sarif, cbom)\n│   ├── scanner/         # Core scanning engine with parallel processing\n│   └── types/           # Shared type definitions\n└── crypto-samples/      # Sample files for testing\n```\n\n## Roadmap\n\n### v1.0 (Current Release)\n- [x] Local and remote repository scanning\n- [x] 50+ cryptographic patterns\n- [x] Multiple output formats (text, JSON, CSV, SARIF, CBOM)\n- [x] Context-aware analysis with confidence scoring\n- [x] Dependency scanning for 20+ package managers\n- [x] Parallel scanning with worker pools\n- [x] Inline ignore comments\n\n### v1.1 (Next)\n- [ ] Git history scanning (find crypto in past commits)\n- [ ] Enhanced dependency version analysis\n- [ ] Configuration file templates\n\n### v2.0 (Future)\n- [ ] AWS resource scanning (KMS, ACM, Secrets Manager)\n- [ ] Azure resource scanning (Key Vault, App Configuration)\n- [ ] GCP resource scanning (Cloud KMS, Secret Manager)\n- [ ] Infrastructure-as-Code analysis (Terraform, CloudFormation, Pulumi)\n- [ ] Certificate chain analysis\n\n## Contributing\n\nWe welcome contributions from the community! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n### Development Setup\n\n```bash\n# Clone the repository\ngit clone https://github.com/csnp/qramm-cryptoscan.git\ncd qramm-cryptoscan\n\n# Install dependencies\ngo mod download\n\n# Run tests\ngo test -race ./...\n\n# Build\ngo build -o cryptoscan ./cmd/cryptoscan\n\n# Run linter\ngolangci-lint run\n```\n\n### Adding New Patterns\n\nNew detection patterns are added in `pkg/patterns/matcher.go`. Each pattern includes:\n\n- Unique ID and descriptive name\n- Category classification\n- Compiled regex\n- Severity and quantum risk levels\n- Description and remediation guidance\n- References to standards or documentation\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for detailed instructions.\n\n## About CSNP\n\nCryptoScan is developed by the **Cyber Security Non-Profit (CSNP)**, a 501(c)(3) organization dedicated to making cybersecurity knowledge accessible to everyone through education, community, and practical resources.\n\n### Our Mission\n\nWe believe that:\n\n- **Accessibility**: Cybersecurity knowledge should be available to everyone, regardless of background or resources\n- **Community**: Supportive communities help people learn, share knowledge, and grow together\n- **Education**: Practical, actionable learning resources empower people to implement better security\n- **Integrity**: The highest ethical standards in all operations and educational content\n\n### QRAMM Toolkit\n\nCryptoScan is part of the **Quantum Readiness Assurance Maturity Model (QRAMM)** toolkit—a suite of open-source tools designed to help organizations prepare for the post-quantum era:\n\n- **CryptoScan** — Cryptographic discovery scanner (this project)\n- **QRAMM Assessment** — Quantum readiness maturity assessment\n- **[TLS Analyzer](https://github.com/csnp/qramm-tls-analyzer)** — TLS/SSL configuration analysis with CNSA 2.0 compliance tracking\n- **CryptoCBOM** — Cryptographic Bill of Materials generator (coming soon)\n\nLearn more at [qramm.org](https://qramm.org) and [csnp.org](https://csnp.org).\n\n## References\n\n### NIST Post-Quantum Cryptography Standards\n\n- [FIPS 203 - ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)](https://csrc.nist.gov/pubs/fips/203/final) — Replaces RSA/ECDH for key exchange\n- [FIPS 204 - ML-DSA (Module-Lattice-Based Digital Signature Algorithm)](https://csrc.nist.gov/pubs/fips/204/final) — Replaces RSA/ECDSA for signatures\n- [FIPS 205 - SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)](https://csrc.nist.gov/pubs/fips/205/final) — Alternative signature scheme\n- [NIST SP 800-131A Rev 2](https://csrc.nist.gov/pubs/sp/800/131/a/r2/final) — Transitioning cryptographic algorithms and key lengths\n\n### Additional Resources\n\n- [NSA Cybersecurity Advisory on Post-Quantum Cryptography](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF)\n- [CISA Post-Quantum Cryptography Initiative](https://www.cisa.gov/quantum)\n- [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n\n## License\n\nApache License 2.0 — see [LICENSE](LICENSE) for details.\n\nCopyright 2025 Cyber Security Non-Profit (CSNP)\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003csub\u003eBuilt with purpose by \u003ca href=\"https://csnp.org\"\u003eCSNP\u003c/a\u003e — Advancing cybersecurity for everyone\u003c/sub\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://qramm.org\"\u003eQRAMM\u003c/a\u003e •\n  \u003ca href=\"https://csnp.org\"\u003eCSNP\u003c/a\u003e •\n  \u003ca href=\"https://github.com/csnp/qramm-cryptoscan/issues\"\u003eIssues\u003c/a\u003e •\n  \u003ca href=\"https://twitter.com/csnp_org\"\u003eTwitter\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-cryptoscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsnp%2Fqramm-cryptoscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-cryptoscan/lists"}