CipherMap CLI
A single, local binary that audits your codebase for quantum-vulnerable cryptography and grades your readiness against the CNSA 2.0 federal mandate.
Quick Start
Install the binary and scan the current directory in one line. No account, no upload.
curl -sSf https://ciphermap.io/install.sh | sh && ciphermap scan .
The scanner crawls every supported source file, reports each finding inline, and prints a quantum readiness grade summary when it finishes.
Validate Key
After purchasing a Tier A or Tier B license, validate your offline key to unlock CBOM export. Keys are verified locally — no callback to our servers.
ciphermap key --validate CMAP-XXXX-XXXX-XXXX # ✓ license valid · CBOM export unlocked
CLI Flag Glossary
Compose flags to tune the scan for local audits or automated pipelines.
| flag | description |
|---|---|
| --format <table|json> | Output format. table is human-readable; json emits a CycloneDX 1.6 CBOM. |
| --fail-on <level> | Exit non-zero when findings meet or exceed the level (info, warn, critical). |
| --include <glob> | Restrict the crawl to matching paths, e.g. --include 'src/**/*.go'. |
| --exclude <glob> | Skip matching paths such as vendored or generated directories. |
| --key <license> | Activate an offline license key to unlock CBOM serialization. |
| --no-color | Disable ANSI colors for logs and non-interactive shells. |
Output Formats
Export a machine-readable CycloneDX 1.6 Cryptographic Bill of Materials for auditors and compliance tooling.
ciphermap scan . --format json > cbom.json
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"components": [
{
"type": "cryptographic-asset",
"name": "RSA-2048",
"cryptoProperties": {
"assetType": "algorithm",
"nistQuantumSecurityLevel": 0
}
}
]
}CI/CD Integration
Add a gate to GitHub Actions with --fail-on=critical to block pull requests that introduce non-compliant cryptography.
# .github/workflows/pqc.yml
name: Post-Quantum Gate
on: [pull_request]
jobs:
ciphermap:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run CipherMap
run: |
curl -sSf https://ciphermap.io/install.sh | sh
ciphermap scan . --fail-on=critical --format jsonThe step exits non-zero on any critical finding, turning the check red and blocking the merge until the vulnerable primitive is migrated.