pqaudit 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 PQCWorld
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,180 @@
+# pqaudit
+
+Scan codebases for quantum-vulnerable cryptography. Get a clear picture of what needs to migrate before [Q-Day](https://en.wikipedia.org/wiki/Q-day).
+
+pqaudit detects usage of RSA, ECDSA, Ed25519, ECDH, DH, and other algorithms broken by Shor's algorithm. It also identifies already-migrated PQC usage (ML-KEM, ML-DSA, SLH-DSA) so you can track migration progress. Output as human-readable text, JSON, [CycloneDX CBOM](https://cyclonedx.org/capabilities/cbom/), or [SARIF](https://sarifweb.azurewebsites.net/) for GitHub Code Scanning.
+
+## Why now
+
+On March 31, 2026, Google published research showing that breaking ECDSA-256 requires [20x fewer qubits than previously estimated](https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/) — roughly 1,200 logical qubits and under 500,000 physical qubits. NSA's CNSA 2.0 mandates PQC for new national security systems by 2027. The migration window is open but closing.
+
+## Install
+
+```bash
+npx pqaudit ./my-project
+```
+
+Or install globally:
+
+```bash
+npm install -g pqaudit
+pqaudit ./my-project
+```
+
+## Usage
+
+```bash
+# Scan current directory, human-readable output
+pqaudit .
+
+# Only show critical and high findings
+pqaudit ./src --severity high
+
+# Generate CycloneDX CBOM
+pqaudit . --format cbom --output cbom.json
+
+# Generate SARIF for GitHub Code Scanning
+pqaudit . --format sarif --output results.sarif
+
+# CI mode — exit code 1 if critical/high findings exist
+pqaudit . --ci
+
+# Skip dependency scanning
+pqaudit . --no-deps
+
+# Use custom rules
+pqaudit . --rules ./my-rules.yaml
+```
+
+## Example output
+
+```
+  pqaudit — Post-Quantum Cryptography Readiness Scanner
+  Scanned: ./my-project
+  Date: 2026-04-01T00:00:00.000Z
+
+  NOT PQC READY — Quantum-vulnerable cryptography detected
+
+  Files scanned: 65  |  Findings: 18
+  Critical: 12  High: 2  Medium: 1  Low: 0  Safe: 3
+
+  --- CRITICAL (12) ---
+
+  [!!] Ed25519 — Ed25519 signatures — elliptic curve, vulnerable to Shor's algorithm
+      src/crypto/signing.ts:14
+      > import { sign, verify } from "@noble/ed25519";
+      Fix: ML-DSA-65 (FIPS 204) or hybrid Ed25519+ML-DSA-65
+      Confidence: 90% | Effort: moderate | Via: regex
+  ...
+```
+
+## What it detects
+
+### Critical (quantum-vulnerable — must migrate)
+
+| Algorithm | Threat | Replacement |
+|-----------|--------|-------------|
+| RSA (any key size) | Shor's algorithm | ML-KEM-768 / ML-DSA-65 |
+| ECDSA / Ed25519 | Shor's on elliptic curves | ML-DSA-65 (FIPS 204) |
+| ECDH / X25519 / DH | Shor's on key exchange | ML-KEM-768 (FIPS 203) |
+| DSA | Shor's algorithm | ML-DSA-65 (FIPS 204) |
+
+### High (weakened by quantum)
+
+| Algorithm | Threat | Replacement |
+|-----------|--------|-------------|
+| AES-128 | Grover reduces to 64-bit | AES-256 |
+
+### Safe (already quantum-resistant)
+
+ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+), AES-256, ChaCha20-Poly1305, SHA-256, SHA-3
+
+## Output formats
+
+### CycloneDX CBOM
+
+Generates a [Cryptographic Bill of Materials](https://cyclonedx.org/capabilities/cbom/) conforming to CycloneDX 1.6. Each cryptographic finding becomes a `crypto-asset` component with `cryptoProperties`, NIST quantum security levels, and evidence locations.
+
+```bash
+pqaudit . --format cbom --output cbom.json
+```
+
+### SARIF (GitHub Code Scanning)
+
+Generates SARIF 2.1.0 output compatible with GitHub's code scanning. Upload via `github/codeql-action/upload-sarif`.
+
+```bash
+pqaudit . --format sarif --output results.sarif
+```
+
+## GitHub Action
+
+```yaml
+name: PQC Audit
+on: [push, pull_request]
+jobs:
+  pqaudit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - run: npx pqaudit . --format sarif --output pqaudit.sarif --ci
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: pqaudit.sarif
+          category: pqaudit
+```
+
+## Dependency scanning
+
+pqaudit checks `package.json` for known cryptographic libraries and flags quantum-vulnerable dependencies:
+
+- `@noble/ed25519`, `@noble/secp256k1` — ECC signatures
+- `tweetnacl`, `elliptic`, `node-rsa` — various asymmetric crypto
+- `jsonwebtoken`, `jose` — JWT libraries (typically RSA/ECDSA)
+- `@solana/web3.js`, `ethers`, `web3` — blockchain (Ed25519/secp256k1)
+- `@noble/post-quantum` — flagged as **safe**
+
+## Custom rules
+
+Rules are defined in YAML:
+
+```yaml
+- id: MY_CUSTOM_RULE
+  description: "Custom quantum-vulnerable pattern"
+  severity: critical
+  category: signature
+  algorithm: MyAlgo
+  replacement: ML-DSA-65
+  effort: complex
+  languages: ["javascript", "typescript"]
+  patterns:
+    - "myVulnerableFunction\\("
+    - "import.*myVulnerableLib"
+```
+
+## Detection methods
+
+Currently implements L0 (regex) detection. Planned:
+
+- **L1**: AST-based analysis via tree-sitter for semantic understanding and fewer false positives
+- **L2**: Data flow / taint analysis for tracing cryptographic data through call chains
+- **Network scanning**: TLS/SSH endpoint analysis
+- **More languages**: Cargo.toml, build.gradle, requirements.txt dependency scanning
+
+## References
+
+- [NIST FIPS 203 — ML-KEM](https://csrc.nist.gov/pubs/fips/203/final)
+- [NIST FIPS 204 — ML-DSA](https://csrc.nist.gov/pubs/fips/204/final)
+- [NIST FIPS 205 — SLH-DSA](https://csrc.nist.gov/pubs/fips/205/final)
+- [NSA CNSA 2.0 Timeline](https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF)
+- [CycloneDX CBOM Specification](https://cyclonedx.org/capabilities/cbom/)
+- [Google PQC Migration Timeline (March 2026)](https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/)
+- [Google Quantum Vulnerability Research (March 2026)](https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/)
+
+## License
+
+MIT

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+import { writeFileSync } from "node:fs";
+import { Command } from "commander";
+import { scan } from "./scanner/engine.js";
+import { formatText } from "./reporter/text.js";
+import { formatJson } from "./reporter/json.js";
+import { formatCbom } from "./reporter/cbom.js";
+import { formatSarif } from "./reporter/sarif.js";
+const program = new Command();
+program
+    .name("pqaudit")
+    .description("Scan codebases for quantum-vulnerable cryptography and generate a Cryptographic Bill of Materials (CBOM)")
+    .version("0.1.0")
+    .argument("[target]", "Directory to scan", ".")
+    .option("-f, --format <format>", "Output format: text, json, cbom, sarif", "text")
+    .option("-o, --output <file>", "Write output to file instead of stdout")
+    .option("-s, --severity <level>", "Minimum severity to report: critical, high, medium, low, safe", "safe")
+    .option("--no-deps", "Skip dependency scanning")
+    .option("--include <patterns...>", "File patterns to include")
+    .option("--exclude <patterns...>", "Additional file patterns to exclude")
+    .option("--rules <dir>", "Path to custom rules YAML file")
+    .option("--ci", "Exit with code 1 if critical/high findings exist")
+    .action(async (target, opts) => {
+    const config = {
+        target,
+        format: opts.format,
+        output: opts.output,
+        minSeverity: opts.severity,
+        scanDependencies: opts.deps !== false,
+        include: opts.include,
+        exclude: opts.exclude,
+        rulesDir: opts.rules,
+    };
+    const result = await scan(config);
+    let output;
+    switch (config.format) {
+        case "json":
+            output = formatJson(result);
+            break;
+        case "cbom":
+            output = formatCbom(result);
+            break;
+        case "sarif":
+            output = formatSarif(result);
+            break;
+        case "text":
+        default:
+            output = formatText(result);
+            break;
+    }
+    if (config.output) {
+        writeFileSync(config.output, output, "utf-8");
+        if (config.format === "text") {
+            console.log(`Results written to ${config.output}`);
+        }
+    }
+    else {
+        console.log(output);
+    }
+    // CI mode: exit 1 if critical or high findings
+    if (opts.ci) {
+        const { critical, high } = result.summary.bySeverity;
+        if (critical > 0 || high > 0) {
+            process.exit(1);
+        }
+    }
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAGlD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CACV,0GAA0G,CAC3G;KACA,OAAO,CAAC,OAAO,CAAC;KAChB,QAAQ,CAAC,UAAU,EAAE,mBAAmB,EAAE,GAAG,CAAC;KAC9C,MAAM,CACL,uBAAuB,EACvB,wCAAwC,EACxC,MAAM,CACP;KACA,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CACL,wBAAwB,EACxB,+DAA+D,EAC/D,MAAM,CACP;KACA,MAAM,CAAC,WAAW,EAAE,0BAA0B,CAAC;KAC/C,MAAM,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;KAC7D,MAAM,CAAC,yBAAyB,EAAE,qCAAqC,CAAC;KACxE,MAAM,CAAC,eAAe,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,MAAM,EAAE,kDAAkD,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,IAAI,EAAE,EAAE;IACrC,MAAM,MAAM,GAAe;QACzB,MAAM;QACN,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,IAAI,CAAC,QAAoB;QACtC,gBAAgB,EAAE,IAAI,CAAC,IAAI,KAAK,KAAK;QACrC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,IAAI,CAAC,KAAK;KACrB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,CAAC;IAElC,IAAI,MAAc,CAAC;IACnB,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,MAAM;YACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM;QACR,KAAK,MAAM;YACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM;QACR,KAAK,OAAO;YACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;YAC7B,MAAM;QACR,KAAK,MAAM,CAAC;QACZ;YACE,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM;IACV,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED,+CAA+C;IAC/C,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;QACrD,IAAI,QAAQ,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { scan } from "./scanner/engine.js";
+export { formatText } from "./reporter/text.js";
+export { formatJson } from "./reporter/json.js";
+export { formatCbom } from "./reporter/cbom.js";
+export { formatSarif } from "./reporter/sarif.js";
+export type * from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,mBAAmB,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+export { scan } from "./scanner/engine.js";
+export { formatText } from "./reporter/text.js";
+export { formatJson } from "./reporter/json.js";
+export { formatCbom } from "./reporter/cbom.js";
+export { formatSarif } from "./reporter/sarif.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/reporter/cbom.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from "../types.js";
+/**
+ * Generate a CycloneDX 1.6 CBOM (Cryptographic Bill of Materials)
+ *
+ * Spec: https://cyclonedx.org/capabilities/cbom/
+ */
+export declare function formatCbom(result: ScanResult): string;
+//# sourceMappingURL=cbom.d.ts.map

package/dist/reporter/cbom.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cbom.d.ts","sourceRoot":"","sources":["../../src/reporter/cbom.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAW,UAAU,EAAE,MAAM,aAAa,CAAC;AAEvD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA+BrD"}

package/dist/reporter/cbom.js

@@ -0,0 +1,153 @@
+import { randomUUID } from "node:crypto";
+/**
+ * Generate a CycloneDX 1.6 CBOM (Cryptographic Bill of Materials)
+ *
+ * Spec: https://cyclonedx.org/capabilities/cbom/
+ */
+export function formatCbom(result) {
+    const components = result.findings.map(findingToComponent);
+    const cbom = {
+        bomFormat: "CycloneDX",
+        specVersion: "1.6",
+        serialNumber: `urn:uuid:${randomUUID()}`,
+        version: 1,
+        metadata: {
+            timestamp: result.timestamp,
+            tools: {
+                components: [
+                    {
+                        type: "application",
+                        name: "pqaudit",
+                        version: "0.1.0",
+                        description: "Post-quantum cryptography readiness scanner",
+                    },
+                ],
+            },
+            component: {
+                type: "application",
+                name: result.target,
+                "bom-ref": "target",
+            },
+        },
+        components,
+    };
+    return JSON.stringify(cbom, null, 2);
+}
+function findingToComponent(finding) {
+    const bomRef = `crypto-${finding.ruleId}-${finding.location.file.replace(/[^a-zA-Z0-9]/g, "-")}-${finding.location.line ?? 0}`;
+    return {
+        type: "crypto-asset",
+        "bom-ref": bomRef,
+        name: finding.algorithm,
+        description: finding.description,
+        cryptoProperties: {
+            assetType: categoryToAssetType(finding.category),
+            algorithmProperties: {
+                primitive: categoryToPrimitive(finding.category),
+                variant: finding.algorithm,
+                cryptoFunctions: [categoryToFunction(finding.category)],
+            },
+            classicalSecurityLevel: severityToSecurityLevel(finding.severity),
+            nistQuantumSecurityLevel: severityToNistLevel(finding.severity),
+        },
+        evidence: {
+            occurrences: [
+                {
+                    location: finding.location.file,
+                    line: finding.location.line,
+                    offset: finding.location.column,
+                    symbol: finding.location.snippet,
+                    additionalContext: finding.replacement
+                        ? `Recommended replacement: ${finding.replacement}`
+                        : undefined,
+                },
+            ],
+        },
+        properties: [
+            { name: "pqaudit:severity", value: finding.severity },
+            { name: "pqaudit:confidence", value: String(finding.confidence) },
+            { name: "pqaudit:effort", value: finding.effort },
+            { name: "pqaudit:detectionMethod", value: finding.detectionMethod },
+            ...(finding.replacement
+                ? [{ name: "pqaudit:replacement", value: finding.replacement }]
+                : []),
+        ],
+    };
+}
+function categoryToAssetType(category) {
+    switch (category) {
+        case "kem":
+            return "algorithm";
+        case "signature":
+            return "algorithm";
+        case "hash":
+            return "algorithm";
+        case "symmetric":
+            return "algorithm";
+        case "protocol":
+            return "protocol";
+        case "kdf":
+            return "algorithm";
+    }
+}
+function categoryToPrimitive(category) {
+    switch (category) {
+        case "kem":
+            return "pke";
+        case "signature":
+            return "signature";
+        case "hash":
+            return "hash";
+        case "symmetric":
+            return "ae";
+        case "protocol":
+            return "other";
+        case "kdf":
+            return "kdf";
+    }
+}
+function categoryToFunction(category) {
+    switch (category) {
+        case "kem":
+            return "encapsulate";
+        case "signature":
+            return "sign";
+        case "hash":
+            return "digest";
+        case "symmetric":
+            return "encrypt";
+        case "protocol":
+            return "other";
+        case "kdf":
+            return "keygen";
+    }
+}
+function severityToSecurityLevel(severity) {
+    switch (severity) {
+        case "critical":
+            return 0; // Broken by quantum
+        case "high":
+            return 64; // Reduced by Grover
+        case "medium":
+            return 0; // Already broken classically
+        case "low":
+            return 128;
+        case "safe":
+            return 128; // Post-quantum safe
+    }
+}
+function severityToNistLevel(severity) {
+    switch (severity) {
+        case "critical":
+            return 0;
+        case "high":
+            return 1;
+        case "medium":
+            return 0;
+        case "low":
+            return 3;
+        case "safe":
+            return 3;
+    }
+}
+//# sourceMappingURL=cbom.js.map

package/dist/reporter/cbom.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cbom.js","sourceRoot":"","sources":["../../src/reporter/cbom.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAE3D,MAAM,IAAI,GAAG;QACX,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,KAAK;QAClB,YAAY,EAAE,YAAY,UAAU,EAAE,EAAE;QACxC,OAAO,EAAE,CAAC;QACV,QAAQ,EAAE;YACR,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,KAAK,EAAE;gBACL,UAAU,EAAE;oBACV;wBACE,IAAI,EAAE,aAAa;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,OAAO;wBAChB,WAAW,EACT,6CAA6C;qBAChD;iBACF;aACF;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,MAAM,CAAC,MAAM;gBACnB,SAAS,EAAE,QAAQ;aACpB;SACF;QACD,UAAU;KACX,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAgB;IAC1C,MAAM,MAAM,GAAG,UAAU,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC;IAE/H,OAAO;QACL,IAAI,EAAE,cAAc;QACpB,SAAS,EAAE,MAAM;QACjB,IAAI,EAAE,OAAO,CAAC,SAAS;QACvB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,gBAAgB,EAAE;YAChB,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC;YAChD,mBAAmB,EAAE;gBACnB,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAChD,OAAO,EAAE,OAAO,CAAC,SAAS;gBAC1B,eAAe,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;aACxD;YACD,sBAAsB,EAAE,uBAAuB,CAAC,OAAO,CAAC,QAAQ,CAAC;YACjE,wBAAwB,EAAE,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC;SAChE;QACD,QAAQ,EAAE;YACR,WAAW,EAAE;gBACX;oBACE,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI;oBAC/B,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI;oBAC3B,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;oBAC/B,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO;oBAChC,iBAAiB,EAAE,OAAO,CAAC,WAAW;wBACpC,CAAC,CAAC,4BAA4B,OAAO,CAAC,WAAW,EAAE;wBACnD,CAAC,CAAC,SAAS;iBACd;aACF;SACF;QACD,UAAU,EAAE;YACV,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,OAAO,CAAC,QAAQ,EAAE;YACrD,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;YACjE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE;YACjD,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,OAAO,CAAC,eAAe,EAAE;YACnE,GAAG,CAAC,OAAO,CAAC,WAAW;gBACrB,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;gBAC/D,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,QAA6B;IAE7B,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,WAAW,CAAC;QACrB,KAAK,WAAW;YACd,OAAO,WAAW,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,WAAW,CAAC;QACrB,KAAK,WAAW;YACd,OAAO,WAAW,CAAC;QACrB,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,KAAK;YACR,OAAO,WAAW,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAC1B,QAA6B;IAE7B,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf,KAAK,WAAW;YACd,OAAO,WAAW,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,WAAW;YACd,OAAO,IAAI,CAAC;QACd,KAAK,UAAU;YACb,OAAO,OAAO,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CACzB,QAA6B;IAE7B,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,aAAa,CAAC;QACvB,KAAK,WAAW;YACd,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,QAAQ,CAAC;QAClB,KAAK,WAAW;YACd,OAAO,SAAS,CAAC;QACnB,KAAK,UAAU;YACb,OAAO,OAAO,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,QAAQ,CAAC;IACpB,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,QAA6B;IAC5D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,CAAC,CAAC,CAAC,oBAAoB;QAChC,KAAK,MAAM;YACT,OAAO,EAAE,CAAC,CAAC,oBAAoB;QACjC,KAAK,QAAQ;YACX,OAAO,CAAC,CAAC,CAAC,6BAA6B;QACzC,KAAK,KAAK;YACR,OAAO,GAAG,CAAC;QACb,KAAK,MAAM;YACT,OAAO,GAAG,CAAC,CAAC,oBAAoB;IACpC,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,QAA6B;IACxD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,CAAC,CAAC;QACX,KAAK,KAAK;YACR,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC"}

package/dist/reporter/json.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "../types.js";
+export declare function formatJson(result: ScanResult): string;
+//# sourceMappingURL=json.d.ts.map

package/dist/reporter/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/reporter/json.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/reporter/json.js

@@ -0,0 +1,4 @@
+export function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+//# sourceMappingURL=json.js.map

package/dist/reporter/json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/reporter/json.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/reporter/sarif.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from "../types.js";
+/**
+ * Generate SARIF output for GitHub Code Scanning integration
+ * Spec: https://sarifweb.azurewebsites.net/
+ */
+export declare function formatSarif(result: ScanResult): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/reporter/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/reporter/sarif.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,UAAU,EAAY,MAAM,aAAa,CAAC;AAEjE;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA+DtD"}

package/dist/reporter/sarif.js

@@ -0,0 +1,91 @@
+/**
+ * Generate SARIF output for GitHub Code Scanning integration
+ * Spec: https://sarifweb.azurewebsites.net/
+ */
+export function formatSarif(result) {
+    const rules = dedupeRules(result.findings);
+    const sarif = {
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "pqaudit",
+                        version: "0.1.0",
+                        informationUri: "https://github.com/PQCWorld/pqaudit",
+                        rules: rules.map((r) => ({
+                            id: r.ruleId,
+                            shortDescription: { text: r.algorithm },
+                            fullDescription: { text: r.description },
+                            defaultConfiguration: {
+                                level: severityToSarifLevel(r.severity),
+                            },
+                            help: {
+                                text: r.replacement
+                                    ? `Replace with: ${r.replacement}`
+                                    : "No migration needed",
+                            },
+                            properties: {
+                                tags: ["security", "cryptography", "post-quantum"],
+                            },
+                        })),
+                    },
+                },
+                results: result.findings
+                    .filter((f) => f.severity !== "safe")
+                    .map((f) => ({
+                    ruleId: f.ruleId,
+                    level: severityToSarifLevel(f.severity),
+                    message: {
+                        text: `${f.algorithm}: ${f.description}${f.replacement ? `. Replace with: ${f.replacement}` : ""}`,
+                    },
+                    locations: [
+                        {
+                            physicalLocation: {
+                                artifactLocation: {
+                                    uri: f.location.file,
+                                },
+                                region: {
+                                    startLine: f.location.line ?? 1,
+                                    startColumn: f.location.column ?? 1,
+                                },
+                            },
+                        },
+                    ],
+                    properties: {
+                        confidence: f.confidence,
+                        effort: f.effort,
+                    },
+                })),
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+function severityToSarifLevel(severity) {
+    switch (severity) {
+        case "critical":
+            return "error";
+        case "high":
+            return "error";
+        case "medium":
+            return "warning";
+        case "low":
+            return "note";
+        case "safe":
+            return "note";
+    }
+}
+function dedupeRules(findings) {
+    const seen = new Set();
+    const unique = [];
+    for (const f of findings) {
+        if (!seen.has(f.ruleId)) {
+            seen.add(f.ruleId);
+            unique.push(f);
+        }
+    }
+    return unique;
+}
+//# sourceMappingURL=sarif.js.map

package/dist/reporter/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/reporter/sarif.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAkB;IAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE3C,MAAM,KAAK,GAAG;QACZ,OAAO,EACL,sGAAsG;QACxG,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,OAAO;wBAChB,cAAc,EAAE,qCAAqC;wBACrD,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;4BACvB,EAAE,EAAE,CAAC,CAAC,MAAM;4BACZ,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,SAAS,EAAE;4BACvC,eAAe,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;4BACxC,oBAAoB,EAAE;gCACpB,KAAK,EAAE,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC;6BACxC;4BACD,IAAI,EAAE;gCACJ,IAAI,EAAE,CAAC,CAAC,WAAW;oCACjB,CAAC,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE;oCAClC,CAAC,CAAC,qBAAqB;6BAC1B;4BACD,UAAU,EAAE;gCACV,IAAI,EAAE,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC;6BACnD;yBACF,CAAC,CAAC;qBACJ;iBACF;gBACD,OAAO,EAAE,MAAM,CAAC,QAAQ;qBACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;qBACpC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACX,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,KAAK,EAAE,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC;oBACvC,OAAO,EAAE;wBACP,IAAI,EAAE,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;qBACnG;oBACD,SAAS,EAAE;wBACT;4BACE,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE;oCAChB,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;iCACrB;gCACD,MAAM,EAAE;oCACN,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;oCAC/B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC;iCACpC;6BACF;yBACF;qBACF;oBACD,UAAU,EAAE;wBACV,UAAU,EAAE,CAAC,CAAC,UAAU;wBACxB,MAAM,EAAE,CAAC,CAAC,MAAM;qBACjB;iBACF,CAAC,CAAC;aACN;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAkB;IAElB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,OAAO,CAAC;QACjB,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,SAAS,CAAC;QACnB,KAAK,KAAK;YACR,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,QAAmB;IACtC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/reporter/text.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "../types.js";
+export declare function formatText(result: ScanResult): string;
+//# sourceMappingURL=text.d.ts.map

package/dist/reporter/text.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"text.d.ts","sourceRoot":"","sources":["../../src/reporter/text.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAW,UAAU,EAAY,MAAM,aAAa,CAAC;AAkBjE,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAwErD"}