Code Analyzer
Static analysis for quantum-vulnerable cryptography in source code. Scans individual files or entire project directories with real-time streaming progress.
Supported Languages
| Language | Extensions |
|---|---|
| Python | .py, .pyw, .pyi |
| JavaScript | .js, .jsx, .mjs, .cjs |
| TypeScript | .ts, .tsx |
| Java | .java |
| C / C++ | .c, .cpp, .cc, .cxx, .h, .hpp, .hxx |
| C# | .cs |
| Go | .go |
| Rust | .rs |
| Ruby | .rb, .rbw |
| PHP | .php, .php3, .php4, .php5 |
| Kotlin | .kt, .kts |
| Scala | .scala, .sc |
| Swift | .swift |
| Solidity | .sol |
| COBOL | .cob, .cbl, .cpy, .cobol |
| Elixir | .ex, .exs |
| SQL | .sql |
| HTML | .html |
| Apex (Salesforce) | .cls, .trigger |
| Dart | .dart |
| Lua | .lua |
| Vue | .vue |
| Certificates | .pem, .crt, .cer, .p7b, .p7c |
| Config / Data | .json, .yml, .yaml, .toml, .xml, .env, .envrc |
| Jsonnet | .jsonnet, .libsonnet |
What Gets Detected
Quantum-Vulnerable Algorithms (PQC Mode)
| Category | Examples detected |
|---|---|
| Asymmetric encryption / key exchange | RSA key generation, RSA-OAEP, PKCS#1, ECDH, ECDHE, DH, DHE, X25519, X448 |
| Digital signatures | ECDSA, DSA, RSA signatures, EdDSA |
| Weak hash functions | MD5, SHA-1, SHA-224, SHA-256 (Grover halves effective bits) |
| Weak symmetric encryption | AES-128, DES, 3DES, RC4, Blowfish |
| Deprecated TLS | TLS 1.0, TLS 1.1, weak cipher suites, SSLv3 |
| Hardcoded secrets | Private keys, API tokens, cryptographic material embedded in source |
| Insecure random | Math.random(), random.random(), rand() used in cryptographic contexts |
| Key size issues | RSA < 4096, DH < 3072, ECC curves below P-384 |
Scanning a Project
File Selection
Configure which files are scanned in Settings โ Code Analysis:
- File Extensions โ select which extensions to include. Defaults to all supported languages. Deselect extensions to skip file types you don't care about.
- Excluded Directories โ directories skipped during scanning. Defaults include
node_modules,.git,venv,dist,build,__pycache__, and other common build/dependency directories.
Streaming Progress
Directory scans use Server-Sent Events (SSE) to stream results in real time. Files are processed in batches grouped by language so language-specific rules are applied correctly. Batch sizes adapt to project size:
| Project size | Batch size |
|---|---|
| โค 10 files | 5 files per batch |
| 11โ50 files | 10 files per batch |
| 51โ100 files | 15 files per batch |
| > 100 files | 25 files per batch |
Findings appear in the UI as each batch completes. The progress bar shows files scanned vs total.
Cancellation
Click Cancel during a scan to stop it. Partial results are saved to history and marked as Partial โ findings collected up to the cancellation point are preserved and viewable.
Result Fields Explained
Finding Summary
| Field | What it means |
|---|---|
| Total Findings | Number of issues detected across all scanned files. |
| Files Scanned | Total number of files analyzed. |
| Files with Issues | Number of files that had at least one finding. |
| Fixable | Findings that have an available fix โ either a rule autofix or an AI-generated fix. |
Per-Finding Fields
| Field | What it means |
|---|---|
| Severity | CRITICAL / HIGH / MEDIUM / LOW / WARNING / INFO. Set by the rule author based on exploitability and impact. |
| Line | Start line number of the vulnerable code. |
| Message | Human-readable description of the issue and why it is quantum-vulnerable, including the recommended migration. |
| Actions | Fix generation buttons. See AI-Powered Fixes below. |
Severity Levels
| Severity | Meaning in quantum context |
|---|---|
| CRITICAL / ERROR | Algorithm is directly broken by Shor's algorithm (RSA, ECDSA, DH). Immediate migration required. |
| HIGH / WARNING | Significant quantum risk โ weak key sizes, AES-128, SHA-256 in security-critical contexts. |
| MEDIUM | Moderate risk โ deprecated but not immediately broken algorithms, weak TLS configurations. |
| LOW / INFO | Best practice violations, informational findings, algorithm lifecycle warnings. |
AI-Powered Fixes
Requires an LLM API key configured in Settings โ AI Configuration. Two modes are available, selectable in Settings:
| Mode | Button label | What it generates |
|---|---|---|
| AI Recommendation (default) | Generate AI Recommendation | Inserts a single-line @TODO-pq comment above the vulnerable code describing the issue and the recommended PQC migration. Does not modify existing code. |
| AI Code Fix | Generate AI Code Fix | Replaces the vulnerable code with a working PQC-safe implementation. Adds a @TODO-pq REPLACED: comment above the new code. Review carefully before applying โ the LLM works from ~30 lines of context. |
If AI is disabled or no LLM key is configured, a Generate Recommendation button appears instead. This uses the rule autofix field (extra.fix) where available, or calls a backend rule-based recommender โ no LLM required.
Reviewing a Fix
- Click the generate button on any finding โ a loading indicator appears while the fix is generated
- Click View Recommendation or View AI Code Fix to review the diff
- Apply the changes manually to your code, or use Regenerate to produce a new suggestion
- Click Discard to remove the suggestion and start fresh
Rule Sources
Rules are bundled with the application and organized by language. No internet connection is required for scanning.
Adding Custom Rules
Place custom OpenGrep YAML rules in rules/custom-rules/. They are picked up automatically on the next scan. Example:
rules:
- id: custom-weak-cipher
pattern: Cipher.getInstance("DES")
message: DES is quantum-vulnerable. Replace with AES-256-GCM.
severity: ERROR
languages: [java]
metadata:
quantum_vulnerable: trueSetting quantum_vulnerable: true in metadata ensures the finding appears in PQC-only scan mode.
Scan History
Every scan is saved to history. Directory scans are stored as a single record grouping all findings. Individual file scans are stored separately.
- Complete scans โ all files processed, full findings available
- Partial scans โ cancelled or errored scans, marked with a Partial badge. Findings collected before cancellation are preserved.
- Clean files โ files with no findings are stored in a separate table and lazy-loaded on demand to keep scan records small
Performance Notes
- The scanner is invoked once per language per batch โ not once per file. This is significantly faster than per-file invocation.
- For large projects (>100 files), the scan runs as a single directory invocation per language group.
- Scan timeout is 120 seconds by default. Individual batches have a 600-second hard timeout.
- The scanner is bundled with the application for air-gapped environments โ no internet connection required for scanning.
- The scanner ignores
.gitignoreby default so all files are scanned. Use the Excluded Directories setting to control what's skipped.
Relationship to Other Analyzers
The Code Analyzer finds quantum-vulnerable cryptography in source code โ before it is compiled. The Binary Analyzer finds the same vulnerabilities in compiled binaries โ useful when you don't have source access. For live infrastructure, the Certificate Analyzer and Network Analyzer assess deployed TLS configurations.
The Code Analyzer does not produce a 0โ100 Quantum Risk Score โ findings are reported at the individual rule level with severity. For a unified risk score, use the Certificate or Binary analyzers.