Build a cryptographic inventory
PCI DSS 12.3.3 has required a documented inventory of your cryptography since 31 March 2025, and ISO 27001 A.8.24 auditors ask for the same artifact. This is how to produce one without a six-figure enterprise tool.
pqlens scan code .
How it works
- Scan each surface where crypto lives:
pqlens scan code ., thendeps,config,certs,tls,ssh,jwks,keystore,sbomandcloud aws. - Each finding is classified: broken / deprecated, quantum-vulnerable, quantum-weakened, or PQC-ready — with algorithm, key size and location.
- Merge every scan into one living list with
pqlens inventory(Pro) and export it as Excel, CSV, HTML, PDF or a CycloneDX 1.6 CBOM. - Hand the export to your QSA or auditor — or start from the free blank template and fill it in by hand.
What regulators actually ask for
PCI DSS v4.0 requirement 12.3.3 asks for a documented inventory of the cryptographic cipher suites and protocols in use, reviewed at least every 12 months. ISO 27001:2022 control A.8.24 asks for rules on the effective use of cryptography — which an auditor tests by asking what you actually run. Both come down to the same table: algorithm, key size, where it is used, and whether it is still acceptable. The deadline map lists every dated requirement with its primary source.
Why grep is not an inventory
Searching your code for “AES” misses the crypto your dependencies ship, the suites your nginx config declares, the RSA-2048 in your TLS certificate, the host keys your SSH fleet presents, and every key in your cloud KMS. PQLens looks at ten surfaces — the crypto you call, ship, declare and serve — because an inventory is only as good as the places it looks.
Everything stays on your machine
Discovery is 100% local. Nothing about your code, configs or certificates leaves the machine — the scanner works offline. The one deliberate exception: the optional Compliance-tier pqlens push uploads a signed pack containing only algorithm names, statuses and occurrence counts, plus the source label you chose, to your own GRC platform.
Frequently asked questions
Is a cryptographic inventory actually mandatory?
For PCI DSS v4.0 scope, yes — requirement 12.3.3 became mandatory on 31 March 2025 and a QSA can ask for the documented inventory today. ISO 27001 A.8.24 and the EU PQC roadmap ask for essentially the same artifact.
What columns should the inventory have?
At minimum: the algorithm or cipher suite, key size, protocol version where relevant, where it is used, who owns it, and its status. PQLens classifies status as broken/deprecated, quantum-vulnerable, quantum-weakened, or PQC-ready.
Do I need a paid tier to get started?
No. The desktop app, the CLI and all ten discovery surfaces are free — one scan at a time with table, JSON and CycloneDX output. The consolidated inventory with Excel/PDF export is the Pro tier.
Does any of my code get uploaded?
No. Scanning is entirely local and works offline. Only the optional Compliance-tier push sends anything anywhere, and that pack contains algorithm names, statuses and counts — never file paths, code or certificate contents.