PQLensGuides › Enrich your SBOM with crypto
100% local · nothing leaves your machine

Enrich your SBOM with crypto

You already generate an SBOM in CI. PQLens reads it and attributes the cryptography each component ships, classified for quantum risk — turning a bill of materials into a cryptographic bill of materials.

pqlens scan sbom sbom.json
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Generate an SBOM as usual — e.g. syft -o cyclonedx-json . > sbom.json (SPDX works too).
  2. Run pqlens scan sbom sbom.json.
  3. Components that are (or bundle) cryptographic libraries are identified and their algorithms classified.
  4. Export the result as a CycloneDX 1.6 CBOM with --format cbom — schema-valid, deterministic output.

This is how you cover containers

PQLens deliberately does not have a container-image surface — tools like syft already excel at unpacking images into SBOMs. Point syft at the image, pipe the SBOM to PQLens, and the crypto inside the container is inventoried without reinventing image handling.

CBOM: the artifact auditors are starting to ask for

CycloneDX 1.6 added first-class cryptographic asset types precisely because “what crypto do you ship” became a compliance question. PQLens emits that format deterministically, with an integrity hash over the canonical form — the same engine that produces the signed evidence packs.

Frequently asked questions

Which SBOM formats can PQLens read?

CycloneDX and SPDX. Output is CycloneDX 1.6, which has native cryptographic asset support.

How do I scan a container image?

Generate the SBOM with an image tool (e.g. syft -o cyclonedx-json <image>) and feed the file to pqlens scan sbom. Image unpacking is deliberately left to the tools that already do it well.

Is the SBOM uploaded for analysis?

No. The file is read and enriched locally, like every other surface.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.