Enrich your SBOM with crypto
You already generate an SBOM in CI. PQLens reads it and attributes the cryptography each component ships, classified for quantum risk — turning a bill of materials into a cryptographic bill of materials.
pqlens scan sbom sbom.json
How it works
- Generate an SBOM as usual — e.g.
syft -o cyclonedx-json . > sbom.json(SPDX works too). - Run
pqlens scan sbom sbom.json. - Components that are (or bundle) cryptographic libraries are identified and their algorithms classified.
- Export the result as a CycloneDX 1.6 CBOM with
--format cbom— schema-valid, deterministic output.
This is how you cover containers
PQLens deliberately does not have a container-image surface — tools like syft already excel at unpacking images into SBOMs. Point syft at the image, pipe the SBOM to PQLens, and the crypto inside the container is inventoried without reinventing image handling.
CBOM: the artifact auditors are starting to ask for
CycloneDX 1.6 added first-class cryptographic asset types precisely because “what crypto do you ship” became a compliance question. PQLens emits that format deterministically, with an integrity hash over the canonical form — the same engine that produces the signed evidence packs.
Frequently asked questions
Which SBOM formats can PQLens read?
CycloneDX and SPDX. Output is CycloneDX 1.6, which has native cryptographic asset support.
How do I scan a container image?
Generate the SBOM with an image tool (e.g. syft -o cyclonedx-json <image>) and feed the file to pqlens scan sbom. Image unpacking is deliberately left to the tools that already do it well.
Is the SBOM uploaded for analysis?
No. The file is read and enriched locally, like every other surface.