Metadata-Version: 2.4
Name: qproof
Version: 0.4.0
Summary: Find quantum-vulnerable cryptography in your codebase
Project-URL: Homepage, https://github.com/qproof/qproof
Project-URL: Repository, https://github.com/qproof/qproof
Project-URL: Issues, https://github.com/qproof/qproof/issues
Project-URL: Changelog, https://github.com/qproof/qproof/blob/main/CHANGELOG.md
Author: qproof contributors
License: MIT
License-File: LICENSE
Keywords: cnsa,crypto-audit,cryptography,nist,post-quantum,pqc,quantum,scanner,security,vulnerability
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: Software Development :: Testing
Classifier: Typing :: Typed
Requires-Python: >=3.10
Requires-Dist: click>=8.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.4; extra == 'dev'
Description-Content-Type: text/markdown

# qproof

**Find quantum-vulnerable cryptography in your codebase.**

qproof scans source code and dependencies for cryptographic algorithms, classifies their quantum risk, and recommends post-quantum replacements — with references to NIST, CNSA 2.0, ENISA, and EU standards.

[![CI](https://github.com/qproof/qproof/actions/workflows/ci.yml/badge.svg)](https://github.com/qproof/qproof/actions)
[![PyPI](https://img.shields.io/pypi/v/qproof)](https://pypi.org/project/qproof/)
[![Python](https://img.shields.io/pypi/pyversions/qproof)](https://pypi.org/project/qproof/)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)

<!-- ![qproof demo](docs/demo.gif) -->

## Why qproof?

Quantum computers will break RSA, ECDSA, and Diffie-Hellman. The EU requires full PQC migration by 2035 (high-risk systems by 2030). NSA's CNSA 2.0 mandates transition starting now.

**qproof tells you exactly where you're exposed and what to do about it.**

- Scans Python, JavaScript/TypeScript, Go, Java, Rust source code
- Detects crypto dependencies in package.json, requirements.txt, go.mod, and more
- Classifies each finding: **VULNERABLE**, **PARTIAL**, or **SAFE**
- Recommends post-quantum replacements (ML-KEM, ML-DSA per FIPS 203/204)
- References NIST, CNSA 2.0, ENISA, EU 2024/1101, CCN-STIC 221/807
- Scans server configs (nginx, Apache, SSH, OpenSSL) and JWT/TLS settings
- Outputs Rich terminal, JSON, SARIF (GitHub Security), or CBOM (CycloneDX v1.6)

## Quick start

```bash
pip install qproof
qproof scan .
```

## Installation

```bash
# From PyPI
pip install qproof

# From source
git clone https://github.com/qproof/qproof.git
cd qproof
pip install -e ".[dev]"
```

Requires Python 3.10+.

## Usage

```bash
# Scan current directory — Rich terminal output
qproof scan .

# Scan a specific path
qproof scan /path/to/project

# JSON output (for CI/CD)
qproof scan . --format json

# Save JSON report to file
qproof scan . --format json --output report.json

# SARIF output (for GitHub Security tab)
qproof scan . --format sarif --output qproof.sarif

# CBOM output (CycloneDX v1.6 — cryptographic asset inventory)
qproof scan . --format cbom --output cbom.json
```

## GitHub Actions integration

Add this to `.github/workflows/qproof.yml`:

```yaml
name: Quantum Crypto Scan
on: [push, pull_request]

jobs:
  qproof:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - run: pip install qproof
      - run: qproof scan . --format sarif --output qproof.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: qproof.sarif
          category: qproof
```

Findings appear in your repository's **Security → Code scanning alerts** tab.

## What it detects

| Category | Examples | Risk |
|----------|----------|------|
| Asymmetric crypto | RSA, ECDSA, ECDH, Ed25519, DH | VULNERABLE |
| Broken hashes | MD5, SHA-1 | VULNERABLE |
| Deprecated ciphers | DES, 3DES, RC4 | VULNERABLE |
| Partial-risk symmetric | AES-128, Blowfish | PARTIAL |
| Quantum-safe | AES-256, SHA-256, SHA-3, ChaCha20 | SAFE |

| Config settings | TLS 1.0/1.1, SSH RSA keys, JWT RS256/ES256 | VULNERABLE |

43 algorithms classified. 13 libraries mapped. Config scanner covers nginx, SSH, OpenSSL, JWT, PEM.

## Output example

```
+------------+------------------+----------+------------------+
| Risk       | Algorithm        | File     | Replacement      |
+------------+------------------+----------+------------------+
| VULNERABLE | RSA              | app.py:5 | ML-KEM (FIPS 203)|
| VULNERABLE | SHA-1            | app.py:9 | SHA-256          |
| SAFE       | AES-256          | app.py:12| No change needed |
+------------+------------------+----------+------------------+

Quantum Ready Score: 33.3% — 1 SAFE / 3 total
```

## Standards referenced

qproof maps every algorithm to formal standards for compliance reporting:

- **NIST**: SP 800-131A Rev.2, FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 180-4, FIPS 197
- **NSA CNSA 2.0**: Transition timeline 2025-2035
- **ENISA**: PQC Integration Study, ECCG Agreed Cryptographic Mechanisms v2
- **EU**: Recommendation 2024/1101, Coordinated PQC Roadmap (2030/2035)
- **CCN (Spain)**: CCN-STIC 221, CCN-STIC 807 (ENS compliance)

## Supported dependency files

| File | Ecosystem |
|------|-----------|
| requirements.txt | Python |
| Pipfile | Python |
| pyproject.toml | Python |
| package.json | npm |
| go.mod | Go |
| Cargo.toml | Rust |
| pom.xml | Java/Maven |
| build.gradle | Java/Gradle |

## Roadmap

- [x] v0.1 — Regex source scanner, dependency scanner, Rich/JSON output
- [x] v0.2 — SARIF output, CBOM CycloneDX v1.6, config scanner (TLS/SSH/JWT)
- [ ] v0.3 — AST scanner (tree-sitter), GitHub Action marketplace, Go/Java source support
- [ ] v1.0 — SaaS dashboard, compliance PDF reports

## Contributing

Contributions welcome. Please open an issue first to discuss changes.

```bash
git clone https://github.com/qproof/qproof.git
cd qproof
pip install -e ".[dev]"
pytest -v
ruff check qproof/ tests/
```

## License

MIT — see [LICENSE](LICENSE).

---

Built by the [EYES](https://github.com/eyes) team. Scanning the quantum horizon.
