AgentSkillsCN

PQC Readiness Scanner

从代码到操作系统,全面分析加密栈,为后量子时代的迁移做好准备。

SKILL.md
--- frontmatter
name: PQC Readiness Scanner
description: Analyze the complete crypto stack from code to OS for post-quantum migration readiness

PQC Readiness Scanner

Analyze the complete crypto stack for post-quantum migration planning.

Prerequisites

Read references/pqc.md#nist-pqc-standards for background on PQC algorithms.

Workflow

Execute phases in order. Each phase has a STOP condition.

text
CODE → PROTOCOLS → PACKAGE → PROVIDER → INFRASTRUCTURE → RUNTIME → AGILITY → REPORT
PhaseActionReferenceStop If
1Find crypto usagepatterns.md#quantum-vulnerable-needs-migrationNo findings
2Detect protocolspatterns.md#protocol-detection-
3Identify packagescrypto-stack.md#language-package-provider-mapping-
4Determine providercrypto-stack.md (language section)-
5Check infrastructureinfrastructure.md#dockerfile-analysisNo Dockerfile
6Flag runtime paramsreport-templates.md#runtime-verification-section-
7Assess agilitycrypto-agility.md#detection-patterns-
8Generate reportreport-templates.md#report-structure-

All references are in the references/ folder.

Phase 1: Code Analysis

Reference: patterns.md#quantum-vulnerable-needs-migration

Find crypto usage via grep patterns. For each finding, record:

  • File and line number
  • Crypto operation (sign, encrypt, hash, key exchange)
  • Algorithm (RSA, ECDSA, AES, etc.)

Also check:

  • patterns.md#legacy-algorithms-deprecated - DES, 3DES, RC4, MD5
  • patterns.md#jwt-jws-jwe-detection - Token signing algorithms
  • patterns.md#key-lifecycle-detection - Key management patterns

STOP: If no crypto findings, report "No quantum-vulnerable crypto detected" and end.

Phase 2: Protocol Detection

Reference: patterns.md#protocol-detection

Identify what uses crypto:

CheckReference Section
HTTP servers/clientspatterns.md#http-servers, patterns.md#http-clients
gRPCpatterns.md#grpc
SSHpatterns.md#ssh
Message queuespatterns.md#message-queue-detection
Database TLSpatterns.md#database-tls
mTLSpatterns.md#mtls--certificate-auth

Record: Protocol, Role (server/client), Count, TLS enabled.

Phase 3: Package Identification

Reference: crypto-stack.md#language-package-provider-mapping

For each code finding, identify the package/library. Check the language-specific section:

  • crypto-stack.md#go
  • crypto-stack.md#python
  • crypto-stack.md#rust
  • crypto-stack.md#java
  • crypto-stack.md#javascriptnode

Phase 4: Provider Identification

Reference: crypto-stack.md (same language sections)

Key question: Native or bindings?

TypeExamplePQC Path
NativeGo stdlibWait for Go PQC + change code
BindingsPython cryptography → OpenSSLUpdate OpenSSL + library
WrapperRust ring → BoringSSLWait for ring update

Phase 5: Infrastructure Analysis

References:

CheckReference Section
Certificates/PKIinfrastructure.md#certificate-and-pki-analysis
API gatewaysinfrastructure.md#api-gateway-and-proxy-analysis
Dockerfileinfrastructure.md#dockerfile-analysis
Base imagesinfrastructure.md#base-image-crypto-stacks
FIPS modeinfrastructure.md#fips-mode-detection
Key managementinfrastructure.md#key-management-detection
OpenShiftinfrastructure.md#openshift-detection

STOP (soft): If no Dockerfile/K8s manifests, note "Infrastructure analysis limited to code."

Phase 6: Runtime Analysis

Reference: report-templates.md#runtime-verification-section

Flag findings where parameters are runtime-determined:

SourceExample
ConfigMapTLS min version from config
SecretKey from mounted secret
Env varCipher suite from environment
CLI flagKey size from argument

For each, recommend verification method from report-templates.md#verification-methods-by-language.

Phase 7: Agility Assessment

Reference: crypto-agility.md#detection-patterns

Assess migration difficulty:

CheckReference Section
Hardcoded algorithmscrypto-agility.md#hardcoded-algorithms-low-agility
Configurable algorithmscrypto-agility.md#configurable-algorithms-high-agility
Code centralizationcrypto-agility.md#centralized-vs-distributed-crypto
Agility scorecrypto-agility.md#agility-score-template

Phase 8: Report Generation

Reference: report-templates.md#report-structure

Generate report with:

SectionReference
HeaderTimestamp, model used, codebase path
Crypto stack diagramreport-templates.md#crypto-stack-diagram (Mermaid)
Environmentreport-templates.md#report-structure (Environment table)
PQC supportreport-templates.md#report-structure (PQC Support table)
Protocol overviewreport-templates.md#report-structure (Protocol Overview)
Full dependency graphreport-templates.md#full-dependency-graph (Mermaid)
Findingsreport-templates.md#finding-template---full-stack (with per-finding diagrams)
Runtime itemsreport-templates.md#runtime-finding-template
Agilitycrypto-agility.md#report-section

Required diagrams:

  • Crypto stack overview (code → package → provider → OS)
  • Full dependency graph (all crypto usage across codebase)
  • Per-finding chain diagrams

Save to .work/pqc-scan/report.md.

Risk Assessment

Use these references when assessing each finding:

AssessmentReference
Quantum vulnerabilityvulnerabilities.md#quantum-vulnerability
Priority levelsvulnerabilities.md#priority-levels
Key size adequacyvulnerabilities.md#key-size-assessment
PQC standardspqc.md#nist-pqc-standards
Migration pathspqc.md#migration-paths

References

FileSections
patterns.md#quantum-vulnerable-*, #protocol-detection, #jwt-*, #message-queue-*
crypto-stack.md#go, #python, #rust, #java, #javascript*
infrastructure.md#certificate-*, #api-gateway-*, #dockerfile-*, #openshift-*
crypto-agility.md#detection-patterns, #agility-score-template, #report-section
vulnerabilities.md#quantum-vulnerability, #priority-levels, #key-size-*
pqc.md#nist-pqc-standards, #migration-paths, #timeline
report-templates.md#report-structure, #finding-template-*, #runtime-*