Stop quantum-vulnerable cryptography at the pull request.

Your source code never leaves the runner — discovery executes in-pipeline.

The pipeline — four steps

1. Discover — scan code, certificates and TLS for cryptography.
2. CBOM — export a schema-valid CycloneDX 1.6 Crypto-BOM (artifact).
3. Score — quantum-risk + harvest-now-decrypt-later per asset.
4. Gate — fail the build when findings breach your policy.

GitHub Actions

# .github/workflows/crypto-inventory.yml
- name: Discover cryptography
  run: cryptagion scan code --path . --languages python,java,go,javascript,c --reset --exclude-tests
- name: Generate CycloneDX 1.6 CBOM
  run: cryptagion export cbom --output cbom.json
- name: Quantum-risk scoring
  run: cryptagion risk score -c confidential -y 10 --output assessments.json
- name: Upload CBOM + assessment        # audit trail for GRC
  uses: actions/upload-artifact@v4
  with: { path: "cbom.json\nassessments.json" }
- name: Crypto policy gate
  run: cryptagion gate -c confidential -y 10 --max-critical 0 --max-high 10

GitLab CI works the same way. Full examples and the policy options ship with the product.

What a blocked merge looks like

The ::error:: line renders as a red annotation directly in the pull request.

Two ways to integrate

• CLI in CI — install the CLI in the runner (private index or a self-hosted image). Simplest, like syft/grype.
• API service (Platform tier) — run the CRYPTAGION FastAPI service on-prem (token-auth) and call POST /scan/code, GET /inventory/summary for centralised SOAR/GRC integration.

Roll it out safely

Start the gate in report-only mode (a high threshold), baseline your estate, then tighten the policy wave by wave — so you never block a build on day one.

← Deployment · Home