Quantasyte CLI

Post-quantum + weak-crypto scanner. Runs entirely on your machine. Your source code never leaves your network.

🔒 Security & privacy first

If you only read one section, read this. Quantasyte is built specifically for security-conscious teams — including teams subject to DoD, FedRAMP, EU DORA, and FDA data-residency rules.

What we promise:

• ✅ Source code never leaves your machine. The default quantasyte scan ./repo makes ZERO network requests. We physically cannot see your code. There is no upload, no SaaS dependency, no "anonymous telemetry" — nothing.
• ✅ No analytics, no telemetry, no phone-home. The CLI doesn't track usage, doesn't send error reports, doesn't connect to our servers. You can run this on an air-gapped machine.
• ✅ Open source, auditable. Apache 2.0 license + patent grant. Source at https://github.com/mzon7/quantasyte-cli. Read every line before you run it; pin a specific version; vendor it into your own monorepo if you want.
• ✅ No account required. No signup, no email, no credit card. npm install -g quantasyte and you're done.
• ✅ Lightweight. ~32KB ESM bundle. Two npm dependencies (commander + Node built-ins). Auditable supply chain.

Optional cloud mode (opt-in only):

If — and only if — you explicitly run quantasyte scan ./repo --cloud, the CLI will upload findings metadata (file paths, line numbers, primitive types, severity) to our cloud and return a temp dashboard URL embedded in your local PDF report. Even in cloud mode, your source code does not leave your network. Only metadata about findings — never the code itself.

The cloud mode is for teams who want to share results with a CISO/auditor without giving them a Quantasyte account. The temp URL works for 30 days, no signup required to view.

For air-gapped / DoD / FedRAMP / strict-data-residency environments: stick with the default offline mode. Use --no-prompt to suppress the cloud signup CTA at the end of each scan.

Install

# npm (recommended)
npm install -g quantasyte

# pnpm
pnpm add -g @quantasyte/scanner

# yarn
yarn global add @quantasyte/scanner

(Homebrew + Cargo + PyPI installations coming soon.)

You'll need Node.js 18 or later. Install on a machine with internet access; the CLI then runs offline.

Quickstart

# Scan a directory — prints findings JSON to stdout
quantasyte scan ./path/to/your-repo

# Write findings to a file instead
quantasyte scan ./your-repo --output findings.json

# Machine-readable mode (no end-of-run prompt)
quantasyte scan ./your-repo --json

# Emit a CycloneDX 1.6 CBOM locally — no network. FDA / FedRAMP /
# OMB M-23-02 inventory submission format.
quantasyte scan ./your-repo --cbom inventory.json

# Emit a per-requirement compliance evaluation JSON locally. Covers
# all 28 requirements across NIST IR 8547, DORA Art. 16, FDA Cyber,
# NSA CNSA 2.0, FedRAMP PQ, NYDFS Part 500.
quantasyte scan ./your-repo --compliance compliance.json

# Emit the full audit packet PDF (cover letter + scope + framework
# mapping + sign-off block). Auditor-grade artefact for SOC 2 / FDA /
# FedRAMP / DoD submissions. Combine with --packet-label and
# --auditor-name to personalise.
quantasyte scan ./your-repo \
  --audit-packet packet.pdf \
  --packet-label "Q2 2026 SOC 2 Type II" \
  --auditor-name "Acme Audit Firm"

# NSA CNSA 2.0 strict whitelist mode — flags SHA-256, AES-128,
# AES-ECB, AES-CBC, TLS 1.2, wrong-parameter ML-KEM / ML-DSA,
# pre-standard Kyber / Dilithium. Use only for code intended for
# NSS / defense / IC deployment.
quantasyte scan ./your-repo --cnsa-strict

Output format is a stable, versioned JSON schema (quantasyte-cli-findings/v1) with summary counts + findings array. Easily piped into other tools.

CI: open fix-PRs without managing API keys

If you've connected the Quantasyte GitHub App on your repo (free at quantasyte.com/signup), the CLI can open one-line auto-fix PRs from CI runs — and you don't have to copy a long-lived API key into GitHub Actions secrets.

In GitHub Actions, grant the workflow an OIDC token and call quantasyte fix-pr:

# .github/workflows/quantasyte-fix.yml
name: Quantasyte auto-fix
on:
  schedule:
    - cron: "0 6 * * 1"     # weekly, Monday 6am UTC
  workflow_dispatch:

permissions:
  id-token: write           # the ONLY permission needed — no secrets

jobs:
  fix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npx --yes quantasyte fix-pr ${{ vars.QUANTASYTE_SCAN_ID }}

The CLI auto-detects it's running in GitHub Actions, fetches a verified OIDC token from the runner, exchanges it at Quantasyte's API for a short-lived session, and opens the fix-PR. No secret to manage, no token rotation, no leaked-key risk.

Outside GitHub Actions, set QUANTASYTE_API_KEY (mint one at /settings/api-keys):

export QUANTASYTE_API_KEY=qs_...
quantasyte fix-pr scn_abc123...

Free-tier cap: 10 fix-PRs/month per GitHub installation. Same cap whether you trigger from the dashboard or from CI. Upgrade to Watch ($29.99/mo) for unlimited.

What it detects

• Post-quantum vulnerable cryptography: RSA, ECDSA, ECDH, DH, named-curve elliptic crypto (P-256, secp256k1), JWT RS256, library-mediated quantum-vulnerable handshake
• Weak / deprecated primitives: MD5, SHA-1, 3DES, DES, RC4
• TLS misconfiguration: TLS 1.0 / 1.1 minVersion settings
• Hardcoded secrets: API keys, AWS access keys, GitHub tokens, GCP service account keys, private key blocks

Across JavaScript, TypeScript, Go, Java, Python, Ruby, PHP, C#, C++.

Optional: connect to the cloud (free)

The Quantasyte CLI is Apache 2.0 forever and complete by itself. If you want continuous monitoring without remembering to run the CLI manually, you can connect a free cloud account to get:

• Continuous monitoring on push to 1 connected GitHub repo
• Email alerts on critical findings (leaked credentials, hardcoded tokens)
• Compliance headline showing how your code maps to NIST IR 8547, DORA Article 16, FDA Cyber, NSA CNSA 2.0, FedRAMP PQ, NYDFS Part 500
• Quantum readiness PDF for your CISO / auditor
• Audit packet PDF (cryptographic inventory + migration roadmap, free download)
• 30-day scan history
• 10 automated remediation PRs / month (Quantasyte opens a PR against your GitHub repo, one commit per fix). Trigger from the dashboard OR from a CI workflow with quantasyte fix-pr — no API key needed in CI.

quantasyte signup
# Or visit https://quantasyte.com/signup

Paid tiers (live on Stripe)

Need more than Free? All paid tiers are live on Stripe Checkout. 14-day trials available; no credit card during trial.

| Tier | Price | What you get on top of Free | |---|---|---| | Watch | $29.99/mo (founder · list $49/mo) | Up to 5 repos · PR comments on every push · GitHub check-runs (warn or block) · 12-month history · unlimited fix PRs · unlimited email alerts | | Comply | $999/mo (founder · annual $799/mo) | Full per-requirement breakdown · all 26 reqs × 6 frameworks · CycloneDX CBOM · FedRAMP POA&M · Vanta + Drata · quarterly snapshots · branded board PDFs · 5 orgs / 10 users | | Comply Pro | $1,999/mo (founder) | Comply + Auditor Mode — read-only share link your external auditor opens in a browser without a Quantasyte account · watermarked + access-logged + revoke anytime · branded audit packets · 24h support | | Enterprise | Custom | Hybrid / air-gapped deploy · SSO / SAML · audit logs · custom frameworks · DPA / MSA / BAA · CSM · 24h SLA |

See https://quantasyte.com/#pricing for the full breakdown, or email [email protected] for Comply Pro / Enterprise.

Run on every commit (pre-commit hook)

Add Quantasyte to your pre-commit pipeline so leaked secrets and weak crypto get caught before they reach git history. Pick the option that matches your stack — both block the commit when any critical finding appears.

husky + a tiny shell script

# 1. install husky if you haven't already
npx husky init

# 2. write the hook
cat > .husky/pre-commit <<'EOF'
#!/usr/bin/env sh
findings=$(npx --no-install quantasyte scan . --json --no-prompt)
critical=$(echo "$findings" | grep -o '"severity":"critical"' | wc -l)
if [ "$critical" -gt 0 ]; then
  echo "✘ Quantasyte: $critical critical finding(s) — commit blocked."
  echo "$findings" | npx -p jq jq '.findings[] | select(.severity=="critical") | "\(.title) — \(.filePath):\(.lineNumber)"'
  exit 1
fi
EOF
chmod +x .husky/pre-commit

lefthook config

# lefthook.yml
pre-commit:
  commands:
    quantasyte:
      run: npx --no-install quantasyte scan . --json --no-prompt | jq -e '.summary.bySeverity.critical // 0 | . == 0'
      fail_text: "Quantasyte found a critical issue. Run `quantasyte scan .` for details."

Both options run locally and never phone home. Tweak the threshold (critical → critical|high) if you want stricter gating.

Frequently-asked security questions

"Does the CLI ever phone home?" No. The default scan command (quantasyte scan) makes zero network requests. Verify with tcpdump, Little Snitch, or your firewall logs.

"What's in the cloud-mode payload?" Findings metadata only: file paths (relative to the repo root), line numbers, rule subtypes, severity, finding count. No source code lines, no code snippets, no file contents. The exact wire format is in the open-source CLI source.

"Can we self-host the cloud component?" Enterprise tier supports air-gapped / on-prem deployment of both the CLI and the dashboard. Cloud-free and Watch tiers use our hosted cloud.

"What license?" Apache 2.0 + explicit patent grant. Compatible with proprietary use, commercial use, modification, redistribution. The patent grant covers Quantasyte's US patent on channel-decoupled hybrid handshake architecture.

"How do we verify the npm package?" The package is published with npm provenance attestations (npm v9+). Source-of-record is https://github.com/mzon7/quantasyte-cli. Compare the published bundle hash against the GitHub release tag.

License

Apache 2.0. See LICENSE.

Patent grant: this software is covered by an explicit patent grant from Quantasyte, Inc. for use of the included implementation.