Find the crypto in your source code
PQLens reads your source and reports every cryptographic API call it recognises — the algorithm, the key size where it is stated, the library, and the exact file and line — across Python, JavaScript/TypeScript, Java/Kotlin and Go.
pqlens scan code .
How it works
- Point
pqlens scan codeat a repository or directory. - The scanner matches known crypto APIs and constructions in four language families and extracts key sizes where they appear in the call.
- Each occurrence is classified — an
RSA.generate(1024)is broken, RSA-2048 is quantum-vulnerable, AES-128 is quantum-weakened, AES-256 is PQC-ready. - Output as a table, JSON, or a CycloneDX 1.6 CBOM (
--format cbom) — all free.
What it catches that grep does not
The classifier knows the APIs, not just the names: hashlib and cryptography.io in Python, WebCrypto and node:crypto in JS/TS, JCA/JCE in Java, crypto/* in Go. It extracts key sizes from the call site, so it can tell RSA-1024 from RSA-4096 — the difference between broken and quantum-vulnerable with a 2035 deadline. The rules are an open YAML catalog, so you can read exactly why a finding got its status.
Gate your CI on it
With Pro, --fail-on quantum-vulnerable (or broken, or quantum-weakened) makes the scan exit non-zero when a finding at that status or worse appears — so MD5 or a 1024-bit key cannot merge quietly. Free tier prints the same findings; the gate flag is what is licensed.
We find the crypto you use, not the keys you leaked
PQLens is not a secret scanner. It reports algorithms and usage, not credentials — pair it with your existing secret scanner rather than replacing it.
Frequently asked questions
Which languages are supported?
Python, JavaScript/TypeScript, Java/Kotlin, and Go. Crypto that lives in other languages usually still surfaces via the dependency, SBOM, config, certificate or endpoint scans.
Does my source code leave my machine?
No. The scan runs entirely locally and works offline. Findings are yours; nothing is transmitted.
Is AES-128 broken by quantum computers?
No. Grover's algorithm weakens it (roughly halving effective key strength in theory, with enormous practical caveats), which is why PQLens marks AES-128 quantum-weakened — not broken. AES-256 is classified PQC-ready.
Can I use this in CI?
Yes — run the same command in your pipeline. The --fail-on gate that turns findings into a failing exit code is a Pro feature.