Output Formats

All scan commands and report convert support a --format flag to control output. Combine with --output <file> to write to disk.

qtz-discovery-cli scan source ./my-repo --format <format> --output <file>

Format	Flag value	Best for
CycloneDX CBOM	`cbom`	Interoperability, archiving, upstream tools
SARIF	`sarif`	GitHub Security, VS Code, SIEM ingestion
JSON	`json`	Scripting, custom dashboards, API ingestion
CSV	`csv`	Spreadsheets, compliance tracking
Table	`table`	Quick terminal review
Dashboard	`dashboard`	Interactive terminal (rich TUI)

cbom — CycloneDX CBOM

Produces a CycloneDX 1.7 Cryptographic Bill of Materials — the industry-standard machine-readable format for cryptographic asset inventories. Compatible with any tool that supports the CycloneDX specification.

qtz-discovery-cli scan source ./my-repo --format cbom --output cbom.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2026-04-27T10:32:14Z",
    "tools": [{"vendor": "Quantizant", "name": "qtz-discovery-cli", "version": "0.1.0"}],
    "component": {"type": "library", "name": "payment-service", "version": "1.0.0"}
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "RSA",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "pke",
          "parameterSetIdentifier": "1024",
          "keySize": 1024,
          "executionEnvironment": "software-plain-ram"
        },
        "oid": "1.2.840.113549.1.1.1"
      }
    }
  ],
  "vulnerabilities": [
    {
      "id": "CERT_WEAK_KEY",
      "ratings": [{"severity": "critical"}],
      "description": "RSA-1024 is below minimum key size and quantum-vulnerable"
    }
  ]
}

sarif — Static Analysis Results Interchange Format

SARIF 2.1.0 output for direct upload to GitHub Advanced Security, VS Code, Azure DevOps, and any SIEM that accepts SARIF.

qtz-discovery-cli scan source ./my-repo --format sarif --output results.sarif

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "qtz-discovery-cli",
          "version": "0.1.0",
          "rules": [
            {
              "id": "CERT_WEAK_KEY",
              "name": "WeakCertificateKey",
              "shortDescription": {"text": "Key size below minimum (RSA < 2048)"},
              "defaultConfiguration": {"level": "error"}
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "CERT_WEAK_KEY",
          "level": "error",
          "message": {"text": "RSA-1024 found — minimum is RSA_2048"},
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {"uri": "lib/legacy/encrypt.js"},
                "region": {"startLine": 7}
              }
            }
          ],
          "fingerprints": {"qtz/v1": "a4c2e8f1..."}
        }
      ]
    }
  ]
}

json — Quantizant JSON

Flat JSON array of findings — the simplest format for scripting or feeding into custom dashboards. Every field from the scan result is preserved.

qtz-discovery-cli scan source ./my-repo --format json --output findings.json

[
  {
    "id": "CERT_WEAK_KEY",
    "severity": "critical",
    "category": "Asymmetric",
    "algorithm": "RSA",
    "keySize": 1024,
    "file": "lib/legacy/encrypt.js",
    "line": 7,
    "quantumRisk": "VULNERABLE",
    "message": "RSA-1024 found — minimum is RSA_2048",
    "remediation": "Upgrade to RSA_2048 or transition to ML-KEM-768"
  }
]

csv — Comma-Separated Values

Flat CSV with headers — opens directly in Excel, Google Sheets, and any compliance tracker.

qtz-discovery-cli scan source ./my-repo --format csv --output findings.csv

id,severity,category,algorithm,keySize,file,line,quantumRisk,message
CERT_WEAK_KEY,critical,Asymmetric,RSA,1024,lib/legacy/encrypt.js,7,VULNERABLE,RSA-1024 found — minimum is RSA_2048
TLS10_ENABLED,high,Protocol,TLS,1.0,config/server.js,42,VULNERABLE,TLS 1.0 is deprecated

table — Terminal Table

Default format. Renders a human-readable table to stdout with ANSI colors. Suitable for interactive use; not recommended for CI pipelines.

qtz-discovery-cli scan source ./my-repo

ID               SEVERITY   CATEGORY    FILE                      LINE
────────────────────────────────────────────────────────────────────────
CERT_WEAK_KEY    CRITICAL   Asymmetric  lib/legacy/encrypt.js        7
TLS10_ENABLED    HIGH       Protocol    config/server.js            42
NO_PFS           HIGH       Protocol    config/tls.js               18
DHE_DETECTED     MEDIUM     Protocol    config/tls.js               22

23 findings · 4 critical · 9 high · 7 medium · 3 low · Risk: HIGH

dashboard — Interactive Terminal Dashboard

A rich terminal UI (TUI) with severity breakdown bars, quantum risk distribution, and a paginated findings table. Requires a terminal with 80+ column width. Not suitable for CI pipelines or non-interactive environments.

qtz-discovery-cli scan source ./my-repo --format dashboard

Note: The dashboard format exits automatically after rendering. For live monitoring, use report summary cbom.json --format dashboard on previously saved output.