quantumscan
v1.9.0
Published
Post-quantum cryptography scanner — find quantum-vulnerable algorithms in your codebase, Solidity contracts, and Substrate/Polkadot pallets
Maintainers
Readme
QuantumScan — scanner-core
Find quantum-vulnerable cryptography in your codebase — before it becomes a compliance problem.
QuantumScan detects classical cryptographic algorithms (RSA, ECDSA, AES-128, SHA-1…) that are vulnerable to quantum computers and maps them to their post-quantum replacements from NIST FIPS 203/204/205.
Quick Start
# Scan any public GitHub repo — free, no login required
curl -X POST https://quantumscan.io/api/scan \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","repoUrl":"https://github.com/owner/repo"}'Or use the web UI at quantumscan.io — paste a repo URL and get a full risk report in seconds.
What gets detected
| Severity | Examples | |---|---| | CRITICAL | MD5, SHA-1, DES, SSLv3/TLS<1.2 | | HIGH | RSA, ECDSA, ECDH, DSA (all quantum-broken) | | MEDIUM | AES-128 (needs upgrade to AES-256) | | LOW | HMAC-SHA1, hardcoded key literals |
Most recently detected in the wild: ECDSA — appearing in 515 scans.
→ See STATS.md for live numbers updated every 24h.
Why post-quantum now?
NIST finalized ML-KEM (key encapsulation) and ML-DSA (signatures) in August 2024. DORA, NIS2, and ISO 27001:2022 compliance frameworks are already referencing PQC readiness. The migration window is 3–7 years — planning starts today.
PQC replacements
| Classical | Quantum replacement | |---|---| | RSA / ECDSA | ML-DSA (FIPS 204) | | ECDH / DH | ML-KEM (FIPS 203) | | SHA-1 | SHA-3 / SHA-256+ | | AES-128 | AES-256 |
Substrate / Polkadot
Use --substrate to enable 19 Substrate-specific PQC patterns covering BABE/GRANDPA consensus keys, custom pallet crypto, XCM signing, and ink! smart contracts.
npx quantumscan ./my-parachain --substrateWhat gets detected with --substrate:
| Pattern group | Covered APIs |
|---|---|
| BABE/GRANDPA keys | BabeId, GrandpaId, sr25519::Pair, ed25519::Pair, impl_opaque_keys!, LocalKeystore::open, KeystorePtr |
| Pallet crypto | sp_runtime::traits::Verify, MultiSignature, sp_core::sr25519/ed25519, sp_io::crypto::* |
| XCM signing | OriginKind::SovereignAccount, xcm::prelude::*, Junction::AccountId32, xcm_executor::XcmExecutor |
| ink! contracts | ink::env::ecdsa_recover, ink::env::sr25519_verify, self.env().caller() |
| Rust crates | schnorrkel, ed25519-dalek, x25519-dalek, libp2p-noise |
Example output:
QuantumScan v1.9.0 Substrate/Polkadot PQC Analysis
──────────────────────────────────────────────────────────
Workspace Substrate/Polkadot detected
Pallets 3 found (pallets/staking, pallets/identity, pallets/session)
ink! 2 contract(s) found
Crates frame-support, sp-core, sp-runtime, schnorrkel… +4
Patterns 19 Substrate-specific PQC patterns active
🟠 HIGH 12 findings
pallets/staking/src/lib.rs:42 BABE Authority Key (sr25519) `BabeId`
pallets/staking/src/lib.rs:89 Substrate Session Keys `impl_opaque_keys! {`
contracts/token/src/lib.rs:31 ink! ECDSA Recovery (secp256k1) `self.env().ecdsa_recover`
...
Risk Score 85/100 High RiskMigration paths:
| Algorithm | PQC replacement | |---|---| | sr25519 / BABE | ML-DSA (CRYSTALS-Dilithium) — await sp-core PQC RFC | | ed25519 / GRANDPA | ML-DSA or SLH-DSA — await Substrate PQC pallets | | x25519 / libp2p-noise | ML-KEM (CRYSTALS-Kyber) — await libp2p PQC KEX | | ink! ECDSA | ML-DSA when ink! adds PQC host functions |
Running tests:
npm test
# → 60 tests pass, 6 groups, 0 failures
# Node.js built-in test runner — no extra dependenciesDocker:
docker run --rm -v $(pwd):/target quantumscan/scanner /target --substrateContributing
Open issues for new patterns you'd like detected. PRs welcome — see CONTRIBUTING.md if it exists, or just open a PR with:
- The regex pattern
- Which algorithm it targets
- Severity (critical/high/medium/low)
- A PQC alternative
The inbound-pr-agent reviews PRs daily and will respond within 24h.
Stats auto-updated: 2026-06-23 17:03 UTC | quantumscan.io
