qtz-discovery-cli Documentation
qtz-discovery-cli is Quantizant's command-line tool for discovering cryptographic assets across your source code and network endpoints. It outputs a standards-compliant CycloneDX CBOM (Cryptographic Bill of Materials).
Getting Started
Scan Commands
Report Commands
Output & Formats
Integrations
Reference
Quick Links
- Install qtz-discovery-cli — macOS, Linux, Windows
- Quickstart — Run your first scan in 5 minutes
- scan source — Scan source code for cryptographic vulnerabilities
- scan network — Analyze TLS and SSH endpoint security
- CI/CD Integration — GitHub Actions and GitLab CI examples
- Full Reference — All flags and environment variables
- Download Page — Binary downloads for all platforms
What is a CBOM?
A Cryptographic Bill of Materials (CBOM) is a machine-readable inventory of all cryptographic assets in your software system — algorithms, keys, certificates, protocols, and libraries. qtz-discovery-cli produces CBOM in the CycloneDX 1.7 format, which is supported by NIST and major security toolchains.
Quantum Risk Classifications
Every finding is tagged with a quantum risk level:
| Level | Meaning | Example |
|---|---|---|
VULNERABLE | Broken by quantum computers (Shor's algorithm) | RSA-1024, ECDSA P-256 |
PARTIAL | May be weakened — key size or algorithm concerns | RSA-2048, ECDH |
HYBRID | Classical + PQC in hybrid mode | X25519MLKEM768 |
SAFE | Quantum-resistant algorithm | ML-KEM, ML-DSA, AES-256 |