The Department of War (DoW) recently mandated a comprehensive inventory of all cryptography across its systems to prepare for the migration to Post-Quantum Cryptography (PQC). This requirement is no longer a theoretical exercise—it is an operational necessity.
TrustSource ts-scan provides a powerful, zero-configuration path to build this inventory. Using its unique integration of dependency analysis and encryption identification, you can generate a Cryptographic Bill of Materials (CBOM) to map your exposure and prioritize your migration strategy.
---
Step 1: Deployment Options
You can deploy ts-scan in your preferred environment without complex configurations or API keys for local operations.
-
As a GitHub Action: Simply add the following to your
.github/workflows/main.yml:
```yaml- name: TrustSource ts-scanuses: trustsource/ts-scan-action@mainwith:args: scan -o sbom.json -f cyclonedx```
-
As a Local CLI:** Install via pip (requires Python 3.10+):
```bashpip install ts-scan```
Step 2: Automated Discovery and Scanning
The core strength of `ts-scan` is its ability to automatically detect your environment. You do not need to manually specify if you are using Java, Python, or Go; the tool identifies the package manager (Maven, NPM, Gradle, etc.) and extracts the full dependency tree.
Execute a basic scan:
```bashts-scan scan -o my_inventory.json .
```
This command performs a deep-dive scan of your current directory, identifying all software components and libraries.
Step 3: Generating a Cryptographic Inventory
To meet the PQC requirements, you must identify not just *what* libraries are used, but *which* ones handle encryption. `ts-scan` utilizes **PyMinr**, a specialized search algorithm that identifies cryptographic implementations directly within the code.
To extract cryptographic metadata:
1. Run the scan as shown in Step 2.
2. Ensure ts-deepscan (the file-based analyzer integrated into ts-scan) is active to assess non-text files and source headers for encryption markers.
3. The resulting JSON or SBOM file will contain identifiers for libraries performing asymmetric cryptography (like RSA or ECC), which are high-priority targets for PQC migration.
Step 4: Exporting for Compliance (SBOM)
To satisfy audit requirements—including those outlined in the DoW PQC Strategy—you can export your inventory in standard formats:
- CycloneDX: Ideal for security and vulnerability tracking.
- SPDX: The standard for licensing and asset compliance.
Export Command:
```bashts-scan scan -f cyclonedx -o quantum_readiness_sbom.json .
```
Step 5: Integration with Risk Management
While local scans are excellent for point-in-time compliance, PQC readiness requires continuous monitoring. By uploading your results to the TrustSource SaaS, you can:
- Track Annual Progress: Meet the requirement to provide an updated list of points of contact and cryptographic status annually.
- Manage Remediations: If a security issue is identified in a PQC solution, TrustSource can help you identify and remediate it immediately.
- Strategic Streamlining: Reduce duplication of effort across your organization by centralizing your "Engagement" artifacts (test plans, results, etc.) in one portal.
Ready to start?
Visit the ts-scan Documentation or the GitHub Action Repository to launch your first scan today.
Comments
0 comments
Article is closed for comments.