PQLensGuides › Find the crypto in your source code
100% local · nothing leaves your machine

Find the crypto in your source code

PQLens reads your source and reports every cryptographic API call it recognises — the algorithm, the key size where it is stated, the library, and the exact file and line — across Python, JavaScript/TypeScript, Java/Kotlin and Go.

pqlens scan code .
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Point pqlens scan code at a repository or directory.
  2. The scanner matches known crypto APIs and constructions in four language families and extracts key sizes where they appear in the call.
  3. Each occurrence is classified — an RSA.generate(1024) is broken, RSA-2048 is quantum-vulnerable, AES-128 is quantum-weakened, AES-256 is PQC-ready.
  4. Output as a table, JSON, or a CycloneDX 1.6 CBOM (--format cbom) — all free.

What it catches that grep does not

The classifier knows the APIs, not just the names: hashlib and cryptography.io in Python, WebCrypto and node:crypto in JS/TS, JCA/JCE in Java, crypto/* in Go. It extracts key sizes from the call site, so it can tell RSA-1024 from RSA-4096 — the difference between broken and quantum-vulnerable with a 2035 deadline. The rules are an open YAML catalog, so you can read exactly why a finding got its status.

Gate your CI on it

With Pro, --fail-on quantum-vulnerable (or broken, or quantum-weakened) makes the scan exit non-zero when a finding at that status or worse appears — so MD5 or a 1024-bit key cannot merge quietly. Free tier prints the same findings; the gate flag is what is licensed.

We find the crypto you use, not the keys you leaked

PQLens is not a secret scanner. It reports algorithms and usage, not credentials — pair it with your existing secret scanner rather than replacing it.

Frequently asked questions

Which languages are supported?

Python, JavaScript/TypeScript, Java/Kotlin, and Go. Crypto that lives in other languages usually still surfaces via the dependency, SBOM, config, certificate or endpoint scans.

Does my source code leave my machine?

No. The scan runs entirely locally and works offline. Findings are yours; nothing is transmitted.

Is AES-128 broken by quantum computers?

No. Grover's algorithm weakens it (roughly halving effective key strength in theory, with enormous practical caveats), which is why PQLens marks AES-128 quantum-weakened — not broken. AES-256 is classified PQC-ready.

Can I use this in CI?

Yes — run the same command in your pipeline. The --fail-on gate that turns findings into a failing exit code is a Pro feature.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.