PQLensGuides › Scan your configs & IaC
100% local · nothing leaves your machine

Scan your configs & IaC

Config files declare cryptography your code never mentions: the cipher suites nginx will accept, the key spec Terraform will mint, the SSH keys allowed into a box. PQLens reads the declarations, so tomorrow’s crypto is in today’s inventory.

pqlens scan config .
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Run pqlens scan config over a repo, a config directory, or /etc.
  2. Web-server TLS settings (nginx, Apache, HAProxy) are parsed: protocol floors and cipher lists.
  3. Terraform and cert-manager resources are read for the key algorithms and sizes they will create.
  4. SSH authorized_keys files are inventoried by key algorithm and size.

Declared crypto is a leading indicator

A live TLS probe tells you what a server negotiated today; the nginx config tells you everything it would accept, including the TLS 1.0 floor someone set in 2015. And a Terraform module that requests RSA-2048 keys will keep minting quantum-vulnerable keys with every apply until the module changes. Fixing the declaration fixes the future — which is why config is its own surface.

Runs on the repo, not just the server

Because it reads files, this scan works in CI against the IaC repo — before anything deploys. Pair it with a live TLS scan of the same services and the difference between declared and observed becomes obvious.

Frequently asked questions

Which config formats are understood?

nginx, Apache and HAProxy TLS settings; Terraform and cert-manager key/certificate specs; and SSH authorized_keys files.

Does it change or lint my configs?

No. It is read-only discovery — it reports what the files declare and classifies it; it never rewrites anything.

Why scan configs when I can probe the live endpoint?

The live probe shows one negotiated result; the config shows the full accepted range and what future infrastructure will be created with. You want both in the inventory.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.