precogs-cbom
v1.0.0
Published
Enterprise-grade Cryptographic Bill of Materials engine
Maintainers
abhisahaniReadme
@precogs/cbom
Enterprise-Grade Cryptographic Bill of Materials CLI JavaScript (Node.js) · CycloneDX 1.6 · Post-Quantum Ready
cbom performs comprehensive cryptographic discovery across a target codebase and generates a
CycloneDX 1.6 Cryptographic Bill of Materials covering algorithms, certificates, keys, protocols,
crypto libraries, and hardcoded secrets — with risk scoring, post-quantum readiness analysis, and
compliance evaluation against eight major frameworks.
Installation
npm install -g @precogs/cbomOr run locally:
git clone <repo>
cd cbom-engine
npm install
node ./bin/cbom.js scan ./your-projectRequires Node.js ≥ 18. No network calls during a scan — all CVE / PQC data is bundled.
Quick Start
# scan a project; emit JSON, Markdown, and HTML reports
cbom scan ./my-project --secrets-detect --pqc-check \
--compliance pci-dss,fips-140,nist-pqc \
--output cbom-report --fail-on criticalThis produces:
cbom-report.json— CycloneDX 1.6 CBOMcbom-report.md— human-readable findings reportcbom-report.html— interactive dashboard (open in a browser)
CLI Flags
| Flag | Description | Default |
|------|-------------|---------|
| -o, --output <file> | Output base path (extension auto-added) | cbom-report |
| -f, --format <fmt> | cyclonedx, markdown, html, or all | all |
| -c, --compliance <list> | Comma-separated frameworks (see below) | none |
| --pqc-check | Enable post-quantum analysis section | always on |
| --secrets-detect | Enable hardcoded secret + entropy detection | off |
| --exclude <patterns> | Comma-separated glob patterns to skip | node_modules,dist,.git |
| --min-risk <level> | Lowest level to include: critical/high/medium/low/safe | low |
| --fail-on <level> | Exit code 1 if findings at this level exist | critical |
| --no-color | Disable colored CLI output | on |
| --json-summary | Print a one-line JSON summary to stdout | off |
Additional commands:
cbom validate <cbom.json> # validates a CycloneDX 1.6 CBOM file
cbom diff <cbomA.json> <cbomB.json> # shows added/removed components between scans
cbom tui <cbom.json> # open the interactive browser on a saved reportTerminal UI (TUI)
When stdout is a TTY, cbom scan automatically launches a multi-panel live dashboard
during the scan, then drops into an interactive findings browser when it completes.
| Key | Action |
|-----|--------|
| ↑ ↓ / j k | navigate findings |
| a c h m l s | filter by severity (all/critical/high/medium/low/safe) |
| t | cycle type filter (algorithm/cert/key/protocol/library/secret) |
| / | search by file or identifier (Esc clears) |
| o | open selected file in $EDITOR |
| e | export current filtered set → cbom-tui-export.json |
| ? | help |
| q / Ctrl-C | quit |
Disable the TUI for CI / piped output with --no-tui. Disable just the post-scan browser
with --no-browser (live dashboard still runs).
Project-level ignore is also supported: drop a .cbomignore (gitignore-style) in your project root.
Sample Output
cbom v1.0.0 — Cryptographic Bill of Materials Engine
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✔ Scan complete — 9 files analyzed
✔ Algorithm Scanner — 8 findings (5 critical)
✔ Certificate Scanner — 3 findings (2 critical)
✔ Key Scanner — 1 findings (1 critical)
✔ Protocol Scanner — 9 findings (6 critical)
✔ Library Scanner — 5 findings (1 critical)
✔ Secret Scanner — 7 findings (4 critical)
✔ PQC Scanner — 5 vulnerable assets
╭───────────────────────────────────────────────────────────╮
│ OVERALL RISK SCORE: 0/100 F 🔴 │
│ 🔴 CRITICAL 20 findings │
│ 🟠 HIGH 6 findings │
│ 🟡 MEDIUM 4 findings │
│ 🟢 LOW 2 findings │
│ ⚛️ POST-QUANTUM: 5 vulnerable assets (HIGH RISK) │
│ Compliance: │
│ FAIL PCI DSS 4.0 │
│ FAIL FIPS 140-3 │
╰───────────────────────────────────────────────────────────╯Coverage Matrix
| Scanner | Detects |
|---------|---------|
| Algorithm | AES variants & modes, DES/3DES/RC4/Blowfish/IDEA, RSA/DSA/ECC sizes, SHA family + MD5, HMAC variants, ChaCha20, Ed25519/X25519, PQC (ML-KEM, ML-DSA, SLH-DSA, FALCON). JS/TS, Python, Java, Go, Ruby, PHP, C/C++, Rust patterns. |
| Certificate | X.509 PEM/DER/P12 — expiry & 47-day mandate, self-signed, weak signatures (SHA-1/MD5), weak key sizes, SAN/EKU/CA flags. |
| Key | Private key files (PEM, OpenSSH, PKCS#8, GPG), file permissions, encryption status, hardcoded keys in source. |
| Protocol | TLS 1.0/1.1/SSLv2/SSLv3 detection in nginx/apache/IaC/source. Weak cipher suites (NULL, EXPORT, RC4, 3DES, anonymous). SSH algorithms (ssh-rsa, ssh-dss). HSTS configuration. |
| Library | Crypto dependencies + bundled CVE history (node-forge, jsonwebtoken, crypto-js, cryptography, PyJWT, pycrypto, openssl, bouncycastle, phpseclib, ring, etc.). |
| Secret | 25+ provider-specific token regexes (AWS, GitHub, Stripe, GCP, Slack, Twilio, etc.) plus Shannon-entropy detection on string literals. |
| PQC | Cross-references all findings against NIST FIPS 203/204/205. Migration priority ranking. CNSA 2.0 timeline. |
Compliance Frameworks
--compliance pci-dss,fips-140,hipaa,nist-pqc,cnsa-2,iso-27001,soc2,fedramp
| ID | Standard |
|----|----------|
| pci-dss | PCI DSS 4.0 — Req 3.5.1, 4.2.1, 8.3.2, 6.4.3, 3.7 |
| fips-140 | NIST FIPS 140-3 approved algorithm enforcement |
| hipaa | HIPAA Security Rule 164.312, 164.308 |
| nist-pqc | NIST FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) |
| cnsa-2 | NSA Commercial National Security Algorithm Suite 2.0 |
| iso-27001 | ISO/IEC 27001:2022 — Annex A cryptographic controls |
| soc2 | SOC 2 Trust Services Criteria (CC6.1, CC6.7, CC6.8, CC7.2) |
| fedramp | FedRAMP SC-13, SC-8, SC-12, IA-5 |
CycloneDX 1.6 Output (snippet)
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3ea6c70e-921f-44af-8879-fc9e78c6b359",
"components": [
{
"type": "cryptographic-asset",
"bom-ref": "algo-...",
"name": "AES-128-ECB",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "ae", "parameterSetIdentifier": "128",
"mode": "ecb", "padding": "unknown",
"cryptoFunctions": ["encrypt","decrypt"],
"classicalSecurityLevel": 128, "nistQuantumSecurityLevel": null
}
},
"evidence": { "occurrences": [{ "location": "auth.js", "line": 16 }] }
}
],
"vulnerabilities": [{ "id": "CWE-327", "ratings": [{ "severity": "high" }] }]
}Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ CLI │ ──▶ │ Engine │ ──▶ │ Aggregator │
│ commander │ │ scanner.js │ │ dedupe+rank │
└──────────────┘ └──────┬───────┘ └──────┬───────┘
│ │
┌───────────┴────────────┐ │
│ │ ▼
┌───────▼─────────┐ ┌──────▼─────┐ ┌──────────────┐
│ 7 Scanners │ │ Risk │ │ Output │
│ algorithm/cert/ │ │ Scorer + │ │ CycloneDX/ │
│ key/proto/lib/ │ │ PQC rules │ │ MD/HTML │
│ secret/pqc │ └────────────┘ └──────────────┘
└─────────────────┘
│
┌───────▼────────────────┐
│ data/*.json │
│ weak algos · PQC · │
│ secret regexes · CVEs │
└────────────────────────┘Exit Codes
| Code | Meaning |
|------|---------|
| 0 | Scan succeeded; no findings at or above --fail-on level |
| 1 | Scan succeeded; findings present at the configured fail threshold |
| 2 | Scan error (bad path, parse failure, etc.) |
Contributing
Contributions welcome — see agent.md for the full design spec and roadmap.
PRs should:
- Add new findings to the appropriate
data/*.jsonrather than hardcoding rules in scanners. - Include a test fixture under
test/fixtures/exercising the new detection. - Document any new CLI flags in this README.
License
MIT © Precogs.ai