{"slug": "pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography", "title": "Pqc-scan: scan your codebase for quantum-vulnerable cryptography", "summary": "A new open-source static analysis tool called pqc-scan helps developers find quantum-vulnerable cryptography in their codebases before quantum computers become a threat. The tool scans source code, configurations, and dependencies for algorithms like RSA and ECDSA that are broken by Shor's algorithm, and recommends migration to NIST-standardized post-quantum algorithms such as ML-KEM and ML-DSA.", "body_md": "**Snyk for Post-Quantum Cryptography** — a developer-first static analysis tool that\nfinds quantum-vulnerable cryptography in your code, configs, and dependencies before\nquantum computers (or your auditors) do.\n\n`pqc-scan`\n\nis zero-friction and lives where your code lives: in your editor, on the\ncommand line, and right inside your pull requests. It parses real source with\ntree-sitter ASTs (not brittle regexes), tells you exactly which line is vulnerable,\nwhy it matters, and how to migrate to a NIST-standardized post-quantum algorithm.\n\n```\npqc-scan scan .\npqc-scan  ·  Post-Quantum Cryptography scan\n\n  ✖  CRITICAL  PQC001 · RSA Key Generation   [high confidence]\n  ┌─ app/keys.py:10:19   (RSA-2048)\n  │  rsa.generate_private_key(\n  │          public_exponent=65537,\n  │          key_size=2048,\n  │      )\n  └─ RSA key generation detected. RSA is broken by Shor's algorithm on a\n     cryptographically relevant quantum computer, regardless of key size.\n       Migrate to: ML-KEM-768 (CRYSTALS-Kyber) …  ·  FIPS 203 (ML-KEM) / FIPS 204 (ML-DSA)\n       see: https://csrc.nist.gov/pubs/fips/203/final\n\n────────────────────────────────────────────────────────────────────────────────\n  Critical: 2  High: 2  Medium: 0  Low: 0   |  Total findings: 4\n  Files scanned: 1  |  Time: 0.00s\n```\n\nThe public-key cryptography that secures almost everything online — TLS handshakes,\nSSH, code signing, JWTs, certificates, VPNs — relies on math problems that are hard\n*for classical computers*. **Shor's algorithm**, run on a cryptographically relevant\nquantum computer, solves all of them efficiently. That breaks, completely:\n\n**RSA**(any key size, including RSA-4096)** Elliptic-curve crypto**: ECDSA, ECDH/ECDHE, X25519/X448, Ed25519/Ed448** Finite-field crypto**: Diffie-Hellman (DH/DHE), DSA\n\nSymmetric crypto and hashing are weakened but not broken: **Grover's algorithm** only\nhalves the effective security level, so AES-256 and SHA-256/SHA3-256 remain safe.\n\nYou don't need a quantum computer to exist *today* to be at risk. Adversaries can\n**capture encrypted traffic now and decrypt it later** once quantum hardware matures.\nAny data with a long confidentiality lifetime — health records, financial data, state\nsecrets, long-lived credentials — is already exposed. Key-exchange material (ECDH,\nX25519, DH) is the prime target.\n\n**August 2024**— NIST finalized the first post-quantum standards:** FIPS 203 (ML-KEM)**for key encapsulation,** FIPS 204 (ML-DSA)**and** FIPS 205 (SLH-DSA)**for digital signatures.** 2030 / 2035**— US federal guidance (CNSA 2.0, NSM-10) sets a migration deadline: begin now, complete the transition for most systems by**2030**, finish by 2035.\n\nMigration is a multi-year inventory-and-replace effort. `pqc-scan`\n\nis the inventory\nstep you can run on every commit.\n\n`pqc-scan`\n\nrequires **Python ≥ 3.10**.\n\nInstall editable from a clone of the source:\n\n```\ngit clone https://github.com/pqc-scan/pqc-scan.git\ncd pqc-scan\npip install -e .\n```\n\nThis installs the `pqc-scan`\n\nconsole script. Verify:\n\n```\npqc-scan --version\n# pqc-scan 0.1.0\n```\n\nFor development (tests + coverage):\n\n```\npip install -e \".[dev]\"\npytest\n```\n\nAll scanning dependencies (tree-sitter grammars for Python, JavaScript, Java, Go,\nplus Typer, Rich and PyYAML) are installed automatically — there is **no** native\ntoolchain to build.\n\n```\npqc-scan scan .                       # scan the current tree, pretty console report\npqc-scan scan src/ -s high            # only report HIGH and CRITICAL findings\npqc-scan scan . -o sarif -f out.sarif # write SARIF for GitHub code scanning\npqc-scan scan . --changed-only        # only files changed in the current git diff\npqc-scan rules                         # list every detection rule\npqc-scan init                          # write a starter .pqcscan.yml\n```\n\n`pqc-scan`\n\nexposes four commands: `scan`\n\n, `report`\n\n, `init`\n\n, and `rules`\n\n.\n\n```\npqc-scan scan [PATH] [OPTIONS]\n```\n\n`PATH`\n\ndefaults to `.`\n\n(the current directory) and may be a file or a directory.\n\n| Flag | Alias | Description |\n|---|---|---|\n`--output` |\n`-o` |\nOutput format: `console` (default), `sarif` , `cbom` , `json` . |\n`--output-file` |\n`-f` |\nWrite output to this file instead of stdout. |\n`--severity` |\n`-s` |\nMinimum severity to report: `critical` , `high` , `medium` , `low` . |\n`--exclude` |\nGlob pattern to exclude. Repeatable. | |\n`--changed-only` |\nOnly scan files changed in the current git diff (fast PR scans). | |\n`--config` |\nPath to a `.pqcscan.yml` config file. |\n|\n`--no-color` |\nDisable colored output (auto-disabled when writing to a file). | |\n`--fail-on-findings` |\nExit with code `1` if any findings are reported — for CI gating. |\n|\n`--limit N` |\nShow at most `N` findings in console output (`0` = all). |\n|\n`--summary` |\nConsole output: totals and a per-file breakdown only, no per-finding detail. | |\n`--group-by` |\nConsole grouping: `severity` (default) or `file` . |\n\nExamples:\n\n```\n# Console report, but gate CI: non-zero exit if anything is found.\npqc-scan scan . --fail-on-findings\n\n# Scan only application code, skip tests and vendored code.\npqc-scan scan . --exclude \"**/tests/**\" --exclude \"**/third_party/**\"\n\n# Emit machine-readable JSON to stdout (pipe into jq, dashboards, etc.).\npqc-scan scan src/ -o json\n\n# Only audit what this branch changed, at HIGH severity and above.\npqc-scan scan . --changed-only -s high --fail-on-findings\n\n# Large repo? Get the overview first, then drill into one file at a time.\npqc-scan scan . --summary\npqc-scan scan . --group-by file --limit 50\n```\n\nExample console output (scanning a single file):\n\n```\n  pqc-scan  ·  Post-Quantum Cryptography scan\n\n  ✖  CRITICAL  PQC001 · RSA Key Generation   [high confidence]\n  ┌─ app/keys.py:10:19   (RSA-2048)\n  │  rsa.generate_private_key(\n  │          public_exponent=65537,\n  │          key_size=2048,\n  │      )\n  └─ RSA key generation detected. RSA is broken by Shor's algorithm on a\n     cryptographically relevant quantum computer, regardless of key size.\n       Migrate to: ML-KEM-768 (CRYSTALS-Kyber) for encryption / key\n       establishment, or ML-DSA-65 …  ·  FIPS 203 (ML-KEM) / FIPS 204 (ML-DSA)\n       see: https://csrc.nist.gov/pubs/fips/203/final\n\n  ⚠  HIGH  PQC002 · RSA Encryption / Padding   [high confidence]\n  ┌─ app/keys.py:26:9   (RSA-OAEP)\n  │  padding.OAEP(\n  │              mgf=padding.MGF1(algorithm=hashes.SHA256()),\n  │              algorithm=hashes.SHA256(),\n  │              label=None,\n  │          )\n  └─ RSA-based encryption or padding (OAEP / PKCS1v15) detected. RSA encryption\n     is broken by Shor's algorithm.\n       Migrate to: ML-KEM-768 (CRYSTALS-Kyber)  ·  FIPS 203\n       see: https://csrc.nist.gov/pubs/fips/203/final\n\n────────────────────────────────────────────────────────────────────────────────\n  Critical: 2  High: 2  Medium: 0  Low: 0   |  Total findings: 4\n  Files scanned: 1  |  Time: 0.00s\n```\n\n`report`\n\nruns a scan and writes a machine-readable artifact to disk. Unlike `scan`\n\n,\nthe format defaults to `cbom`\n\nand `--output-file`\n\nis **required**.\n\n```\npqc-scan report [PATH] --output-file FILE [--format cbom|sarif|json] [--config FILE]\n# Generate a CycloneDX Cryptography Bill of Materials.\npqc-scan report . --output-file cbom.json\n\n# Generate a SARIF report for archival / upload.\npqc-scan report . --format sarif --output-file results.sarif\npqc-scan init [PATH] [--force]\n```\n\nWrites a starter `.pqcscan.yml`\n\nto `PATH`\n\n(default `.`\n\n). Refuses to overwrite an\nexisting file unless `--force`\n\nis given.\n\n```\npqc-scan init\n# Created .pqcscan.yml\npqc-scan rules\n```\n\nPrints a table of every rule (ID, name, severity, category, description).\n\n`pqc-scan`\n\nships **14 rules**, covering quantum-vulnerable key generation, signatures,\nencryption, key exchange, hashing, weak JWT/TLS configuration, legacy ciphers, and\nquantum-vulnerable dependencies.\n\n| ID | Name | Severity | Category |\n|---|---|---|---|\nPQC001 |\nRSA Key Generation | `critical` |\nkey-generation |\nPQC002 |\nRSA Encryption / Padding | `high` |\nencryption |\nPQC003 |\nRSA Signature | `critical` |\nsigning |\nPQC004 |\nECDSA Key Generation or Signing | `critical` |\nsigning |\nPQC005 |\nECDH / X25519 Key Exchange | `high` |\nkey-exchange |\nPQC006 |\nEd25519 / Ed448 Key Generation | `high` |\nsigning |\nPQC007 |\nDiffie-Hellman Key Exchange | `high` |\nkey-exchange |\nPQC008 |\nDSA Key Generation or Signing | `critical` |\nsigning |\nPQC009 |\nSHA-1 Usage | `medium` |\nhashing |\nPQC010 |\nMD5 Usage | `high` |\nhashing |\nPQC011 |\nWeak JWT Algorithm (RS/ES/PS) | `high` |\nsigning |\nPQC012 |\nWeak TLS Configuration | `medium` |\nconfiguration |\nPQC013 |\nDES / 3DES Usage | `high` |\nencryption |\nPQC014 |\nQuantum-Vulnerable Dependency | `medium` |\ndependency |\n\nRun `pqc-scan rules`\n\nfor the full descriptions and to confirm the set installed on\nyour machine.\n\n**Supported languages (code):** Python, JavaScript/TypeScript, Java, Go.\n**Supported manifests/configs:** `requirements.txt`\n\n, `package.json`\n\n, plus\nYAML / JSON / TOML / `.conf`\n\nconfiguration files (TLS, JWT, cipher lists).\n\n**Library coverage highlights** (beyond the language standard libraries):\n\n**Python**—`cryptography`\n\n(hazmat), pycryptodome/pycrypto (`RSA.generate`\n\n,`pkcs1_15`\n\n,`pss`\n\n,`DSS`\n\n,`PKCS1_OAEP`\n\n), pyOpenSSL (`TYPE_RSA`\n\n), paramiko, PyJWT / python-jose,`ssl`\n\n,`hashlib`\n\n(including`hashlib.new(\"sha1\")`\n\nand the`usedforsecurity=False`\n\ndemotion to`low`\n\n).**JavaScript**— Node`crypto`\n\n(`generateKeyPair`\n\n,`createDiffieHellman`\n\n,`publicEncrypt`\n\n,`createSign`\n\n), WebCrypto`SubtleCrypto`\n\n,`jsonwebtoken`\n\n,`jose`\n\n(`setProtectedHeader`\n\n), node-forge, AWS KMS asymmetric`KeySpec`\n\ns.**Java**— JCA factories (`KeyPairGenerator`\n\n,`Signature`\n\n,`Cipher`\n\n,`MessageDigest`\n\n,`KeyAgreement`\n\n), Bouncy Castle lightweight API (`RSAKeyGenerationParameters`\n\n,`ECDSASigner`\n\n,`Ed25519Signer`\n\n, …), and`SSLContext.getInstance`\n\nwith legacy protocols.**Go**—`crypto/rsa`\n\n,`crypto/ecdsa`\n\n,`crypto/ecdh`\n\n,`crypto/ed25519`\n\n,`crypto/dsa`\n\n,`crypto/tls`\n\nconfiguration (`MinVersion`\n\npins and weak`CipherSuites`\n\n),`x/crypto/curve25519`\n\n, and golang-jwt signing methods.\n\n**Context hints.** Findings inside code that *looks like* crypto-library\nplumbing (paths containing `hazmat`\n\n, `_internal`\n\n, `backends`\n\n, `vendor`\n\n, …) or\ninside a `generate_*_key()`\n\n-style wrapper carry a `context_hint`\n\nexplaining\nwhether the call site is actionable for you or belongs to a library you merely\nconsume. Hints appear in console output, SARIF `properties.contextHint`\n\n, and\nthe JSON `context_hint`\n\nfield.\n\nChoose with `-o`\n\n/`--output`\n\non `scan`\n\n, or `--format`\n\non `report`\n\n.\n\nA colorized, human-readable report with severity badges, the exact code snippet, the\nmigration target, and the relevant NIST standard. Color is auto-disabled when writing\nto a file or with `--no-color`\n\n.\n\nStatic Analysis Results Interchange Format **2.1.0**. Upload it with the CodeQL action\nand findings appear as **inline annotations on the exact line** in pull requests and\nin the repository's Security → Code scanning tab.\n\n```\npqc-scan scan . -o sarif -f pqc-scan.sarif\n{\n  \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/.../sarif-schema-2.1.0.json\",\n  \"version\": \"2.1.0\",\n  \"runs\": [\n    {\n      \"tool\": { \"driver\": { \"name\": \"pqc-scan\", \"version\": \"0.1.0\", \"rules\": [ ... ] } },\n      \"results\": [ ... ]\n    }\n  ]\n}\n```\n\nA **CycloneDX 1.6 CBOM**: a structured inventory of every cryptographic asset found,\nemitted as `cryptographic-asset`\n\ncomponents. Ideal for compliance, supply-chain\nattestation, and tracking migration progress over time.\n\n```\npqc-scan report . --format cbom --output-file cbom.json\n{\n  \"bomFormat\": \"CycloneDX\",\n  \"specVersion\": \"1.6\",\n  \"components\": [\n    { \"type\": \"cryptographic-asset\", \"name\": \"RSA-2048\", \"...\": \"...\" }\n  ]\n}\n```\n\nScan metadata plus every finding with full migration metadata — easy to pipe into\n`jq`\n\n, dashboards, or custom tooling.\n\n```\npqc-scan scan . -o json | jq '.findings[] | {rule_id, severity, file_path, line_number, algorithm}'\n{\n  \"tool\": \"pqc-scan\",\n  \"version\": \"0.1.0\",\n  \"generated_at\": \"2026-07-06T12:00:00Z\",\n  \"paths\": [\"/repo\"],\n  \"summary\": {\n    \"total\": 4,\n    \"by_severity\": { \"critical\": 2, \"high\": 2, \"medium\": 0, \"low\": 0 },\n    \"files_scanned\": 128,\n    \"duration_seconds\": 0.4211,\n    \"errors\": []\n  },\n  \"findings\": [\n    {\n      \"file_path\": \"app/keys.py\",\n      \"line_number\": 10,\n      \"column_number\": 19,\n      \"algorithm\": \"RSA-2048\",\n      \"category\": \"key-generation\",\n      \"severity\": \"critical\",\n      \"confidence\": \"high\",\n      \"rule_id\": \"PQC001\",\n      \"context_hint\": null,\n      \"migration_suggestion\": {\n        \"recommended_algorithm\": \"ML-KEM-768 (CRYSTALS-Kyber) …\",\n        \"nist_standard\": \"FIPS 203 (ML-KEM) / FIPS 204 (ML-DSA)\",\n        \"docs_url\": \"https://csrc.nist.gov/pubs/fips/203/final\"\n      }\n    }\n  ]\n}\n```\n\nRun `pqc-scan`\n\non every pull request and surface findings as inline code-scanning\nannotations. Save this as `.github/workflows/pqc-scan.yml`\n\n:\n\n```\nname: pqc-scan\n\non:\n  pull_request:\n  push:\n    branches: [main]\n\npermissions:\n  contents: read\n  security-events: write   # required to upload SARIF to code scanning\n\njobs:\n  pqc-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Run pqc-scan\n        uses: ./                          # this repo's action; or pin: pqc-scan/pqc-scan@v1\n        with:\n          path: .\n          severity: high                  # critical | high | medium | low\n          output-sarif: pqc-scan.sarif\n          fail-on-findings: 'false'        # set 'true' to block the PR on any finding\n\n      - name: Upload SARIF to GitHub code scanning\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: pqc-scan.sarif\n```\n\n**Action inputs**\n\n| Input | Default | Description |\n|---|---|---|\n`path` |\n`.` |\nFile or directory to scan. |\n`severity` |\n`medium` |\nMinimum severity to report. |\n`output-sarif` |\n`pqc-scan.sarif` |\nPath to write the SARIF report. |\n`fail-on-findings` |\n`false` |\nFail the job (exit 1) if any findings are reported. |\n\nThe action exits `0`\n\nwhen the scan is clean; with `fail-on-findings: 'true'`\n\nthe\nSARIF is still uploaded before the job is failed, so annotations always appear.\n\nIf you prefer to run the CLI directly without the composite action, the equivalent step is just:\n\n```\n      - run: pip install -e . && pqc-scan scan . -o sarif -f pqc-scan.sarif -s high\n```\n\nPair it with `--changed-only`\n\nin PR jobs to scan only the diff and keep runs fast.\n\n`pqc-scan`\n\nreads a `.pqcscan.yml`\n\nfile. It is discovered automatically by walking up\nfrom the scanned path, or pointed at explicitly with `--config`\n\n. Generate a starter\nwith `pqc-scan init`\n\n. Full schema:\n\n```\n# .pqcscan.yml — configuration for pqc-scan\n\nexclude:\n  - \"**/tests/**\"\n  - \"**/*.test.py\"\n  - \"**/vendor/**\"\n  - \"**/node_modules/**\"\n\n# Minimum severity to report: critical | high | medium | low\nseverity_threshold: medium\n\nlanguages:\n  - python\n  - javascript\n  - java\n  - go\n\nscan_configs: true        # Scan YAML/JSON/TOML/.conf config files\nscan_dependencies: true   # Scan dependency manifests (requirements.txt, package.json, ...)\n\nrules:\n  disable: []             # e.g. [PQC010] to silence a specific rule\n\noutput:\n  default_format: console # console | sarif | cbom | json\n  cbom_path: cbom.json\n```\n\nNotes:\n\n- CLI flags override config values (e.g.\n`-s high`\n\nbeats`severity_threshold`\n\n). `rules.disable`\n\ntakes rule IDs (`PQC001`\n\n…`PQC014`\n\n), case-insensitive.- Without a config file, the defaults exclude\n`**/tests/**`\n\n,`**/node_modules/**`\n\n,`**/.venv/**`\n\n,`**/venv/**`\n\n,`**/vendor/**`\n\n,`**/dist/**`\n\n, and`**/build/**`\n\n(the`tests`\n\nglob matches test directories at**any** depth), and the walker never descends into`.git`\n\n,`site-packages`\n\n, caches, or IDE directories. - A malformed\n`--config`\n\nfile exits with code`2`\n\n; a malformed*discovered*config prints a warning and falls back to defaults.\n\nEvery finding ships with concrete, NIST-aligned migration guidance and a before/after code example. The high-level mapping:\n\n| Vulnerable today | Migrate to | NIST standard |\n|---|---|---|\n| RSA key generation / encryption (PQC001/002) | ML-KEM-768 (CRYSTALS-Kyber) |\nFIPS 203 |\n| RSA signatures (PQC003) | ML-DSA-65 (CRYSTALS-Dilithium) |\nFIPS 204 |\n| ECDSA / EC keys (PQC004) | ML-DSA-65 |\nFIPS 204 |\n| ECDH / ECDHE / X25519 (PQC005) | ML-KEM-768 |\nFIPS 203 |\n| Ed25519 / Ed448 (PQC006) | ML-DSA-65 (or SLH-DSA) |\nFIPS 204 / 205 |\n| Diffie-Hellman (PQC007) | ML-KEM-768 |\nFIPS 203 |\n| DSA (PQC008) | ML-DSA-65 |\nFIPS 204 |\n| SHA-1 (PQC009) | SHA-256 / SHA3-256 |\nFIPS 180-4 / 202 |\n| MD5 (PQC010) | SHA-256 / SHA3-256 |\nFIPS 180-4 / 202 |\n| Weak JWT RS/ES/PS256 (PQC011) | HS256 internally; track IETF JOSE for PQC | — |\n| Weak TLS config (PQC012) | TLS 1.3 + hybrid X25519MLKEM768 |\nFIPS 203 |\n| DES / 3DES (PQC013) | AES-256-GCM |\nFIPS 197 |\n\nHeads-up about liboqs.The Python post-quantum library`oqs`\n\n(liboqs-python) isnota pure`pip install`\n\n. It wraps the compiledliboqsC library, which must be available first:`pip install liboqs`\n\nbuilds it from source via CMake, or you install the distro package / build from[https://github.com/open-quantum-safe/liboqs]. Hash and symmetric replacements (SHA-256, AES-256-GCM) need no special install — they live in`hashlib`\n\nand the`cryptography`\n\npackage.\n\n`pqc-scan`\n\nuses two complementary detection strategies:\n\n-\n**Code (Python, JavaScript/TypeScript, Java, Go): tree-sitter AST analysis.** Source is parsed into a concrete syntax tree and the analyzers traverse real nodes — call expressions, imports, dotted attribute access, string and keyword arguments. This is**not** regex matching: it resolves what is actually being*called*(e.g.`rsa.generate_private_key(...)`\n\n,`ec.generate_private_key(...)`\n\n), so it sees through aliasing and whitespace, reports precise 1-based line/column positions, and avoids matching the same construct inside comments or strings. -\n**Configs and dependencies: pattern-based scanning.** TLS/JWT/cipher settings in YAML/JSON/TOML/`.conf`\n\n, and manifests like`requirements.txt`\n\nand`package.json`\n\n, are matched against curated patterns of quantum-vulnerable algorithms and libraries.\n\nEach language analyzer exposes a common contract (`LANGUAGE`\n\n, `EXTENSIONS`\n\n,\n`GRAMMAR`\n\n, `analyze(...)`\n\n) and emits `Finding`\n\nobjects through a single shared\nfactory, so console, SARIF, CBOM, and JSON outputs all stay perfectly consistent.\n\n`pqc-scan`\n\nis a **static** analyzer. It is tuned for high-confidence, low-noise\ndetection, but a few caveats apply:\n\n**It flags presence, not necessarily exploitable risk.** A`PQC014`\n\ndependency match means a quantum-vulnerable library is declared, not that a vulnerable code path is exercised. Treat findings as an inventory to triage.**Dynamic / reflective crypto can be missed.** Algorithms chosen at runtime, built from string concatenation, or invoked through heavy indirection may not be resolved by static analysis.**Detection is best-effort across libraries.** Coverage targets the most common crypto APIs per language; exotic or in-house wrappers may not be recognized.**Configuration heuristics are pattern-based** and can occasionally over- or under-match unusual config layouts. Tune with`rules.disable`\n\nand`exclude`\n\n.\n\nUse `--changed-only`\n\nfor fast PR feedback, the full scan for an inventory/CBOM, and\nthe migration guidance attached to each finding as your remediation checklist.\n\nApache-2.0. See the project metadata in `pyproject.toml`\n\n.", "url": "https://wpnews.pro/news/pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography", "canonical_source": "https://github.com/sachhg/pqc-scan", "published_at": "2026-07-07 14:24:17+00:00", "updated_at": "2026-07-07 14:29:51.653009+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools"], "entities": ["pqc-scan", "NIST", "RSA", "ECDSA", "ML-KEM", "ML-DSA", "Shor's algorithm", "Snyk"], "alternates": {"html": "https://wpnews.pro/news/pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography", "markdown": "https://wpnews.pro/news/pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography.md", "text": "https://wpnews.pro/news/pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography.txt", "jsonld": "https://wpnews.pro/news/pqc-scan-scan-your-codebase-for-quantum-vulnerable-cryptography.jsonld"}}