Scan your configs & IaC
Config files declare cryptography your code never mentions: the cipher suites nginx will accept, the key spec Terraform will mint, the SSH keys allowed into a box. PQLens reads the declarations, so tomorrow’s crypto is in today’s inventory.
pqlens scan config .
How it works
- Run
pqlens scan configover a repo, a config directory, or/etc. - Web-server TLS settings (nginx, Apache, HAProxy) are parsed: protocol floors and cipher lists.
- Terraform and cert-manager resources are read for the key algorithms and sizes they will create.
- SSH
authorized_keysfiles are inventoried by key algorithm and size.
Declared crypto is a leading indicator
A live TLS probe tells you what a server negotiated today; the nginx config tells you everything it would accept, including the TLS 1.0 floor someone set in 2015. And a Terraform module that requests RSA-2048 keys will keep minting quantum-vulnerable keys with every apply until the module changes. Fixing the declaration fixes the future — which is why config is its own surface.
Runs on the repo, not just the server
Because it reads files, this scan works in CI against the IaC repo — before anything deploys. Pair it with a live TLS scan of the same services and the difference between declared and observed becomes obvious.
Frequently asked questions
Which config formats are understood?
nginx, Apache and HAProxy TLS settings; Terraform and cert-manager key/certificate specs; and SSH authorized_keys files.
Does it change or lint my configs?
No. It is read-only discovery — it reports what the files declare and classifies it; it never rewrites anything.
Why scan configs when I can probe the live endpoint?
The live probe shows one negotiated result; the config shows the full accepted range and what future infrastructure will be created with. You want both in the inventory.