Korthex is an on-premise cryptography scanner built by Flowence. It analyzes source code, dependencies, binaries, TLS certificates, databases, and git history for weak, broken, deprecated, and quantum-vulnerable cryptography (MD5, SHA-1, RC4, DES, 3DES, Blowfish, AES-CBC / ECB misuse, RSA, ECC, Diffie-Hellman) and generates a Cryptographic Bill of Materials (CBOM) and a concrete migration path to modern standards.

What is a cryptography scanner?

A cryptography scanner is a static- and dynamic-analysis tool that finds every place where cryptography is used or misused in a software stack - including weak hashes (MD5, SHA-1), deprecated ciphers (RC4, DES, 3DES, Blowfish), misuse of strong primitives (AES-ECB, AES-CBC without integrity), insecure TLS configurations, hardcoded keys and secrets, and algorithms that will be broken by quantum computers. Korthex is a cryptography scanner with post-quantum migration support.

Which cryptographic weaknesses does Korthex detect?

Broken or deprecated hashes (MD5, SHA-1), legacy ciphers (DES, 3DES, RC4, Blowfish), misuse of modern ciphers (AES-ECB, AES-CBC without HMAC, missing IVs, key reuse), weak randomness sources, hardcoded keys and credentials, weak TLS configurations and certificates, and quantum-vulnerable asymmetric cryptography (RSA, ECC, Diffie-Hellman, DSA).

Does Korthex scan TLS and PKI certificates?

Yes. Korthex inspects TLS / PKI certificates and cipher suites for weak signature algorithms (SHA-1, MD5), legacy key sizes (RSA < 2048, ECC < 256), expired or near-expiry certificates, and insecure TLS configurations.

Can Korthex detect hardcoded keys, secrets, and API tokens?

Yes. The pattern scanner stage performs credential scanning across source, configuration, and git history - flagging hardcoded keys, API tokens, private keys, and other secrets that should not live in code or version control.

What is post-quantum cryptography (PQC)?

PQC refers to cryptographic algorithms that remain secure against attacks from large-scale quantum computers. NIST finalized the first three standards in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).

Which frameworks does Korthex support?

Express, Fastify, NestJS, Spring Boot, ASP.NET Core, FastAPI, Django, Gin, Laravel, Ktor, and 20+ more. The full list is in the documentation.

Can I integrate Korthex into CI/CD?

Yes. Korthex ships with a GitHub Actions step, a GitLab CI template, and a generic CLI exit code for any pipeline. Scans fail above a configurable risk threshold.

Which compliance standards does Korthex map to?

Korthex maps findings to NIST FIPS 140-3 (general cryptographic modules), NIST FIPS 203 / 204 / 205 (post-quantum), BSI IT-Grundschutz, BSI TR-02102, PCI-DSS cryptographic requirements, and ISO 27001 controls - with severity scoring and a prioritized cryptographic inventory.

Is Korthex a crypto-agility tool?

Yes. Crypto agility is the ability to inventory cryptography across a stack and swap algorithms when standards change. Korthex provides the inventory (CBOM), the risk scoring, the migration path, and CI/CD integration - the four building blocks of a crypto-agility programme.

NIST FIPS 140-3 · 203 / 204 / 205 · BSI · PCI-DSS · ISO 27001

Korthex - Cryptography Scanner with Post-Quantum Migration, by Flowence

Q: Does Korthex generate a Cryptographic Bill of Materials (CBOM)?

Yes. Korthex exports a complete CBOM in CycloneDX, SARIF, JSON, PDF, and the native .kxr format. The CBOM lists every cryptographic primitive in your stack with file path, line number, severity, taint verdict, and compliance status.

Q: Can Korthex detect hardcoded keys, secrets, and API tokens?

Yes. The pattern scanner stage performs credential scanning across source, configuration, and git history - flagging hardcoded keys, API tokens, private keys, and other secrets that should not live in code or version control.

Q: What is post-quantum cryptography (PQC)?

PQC refers to cryptographic algorithms that remain secure against attacks from large-scale quantum computers. NIST finalized the first three standards in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).

Q: How long does a Korthex scan take?

A typical scan of 50,000 to 500,000 lines of code completes in under two minutes.

Q: Does my source code leave Korthex?

No. The scanner runs locally as a CLI or inside your CI/CD pipeline. Only anonymized metadata is transmitted for the dashboard report - source code never leaves your infrastructure.

Q: Which frameworks does Korthex support?

Express, Fastify, NestJS, Spring Boot, ASP.NET Core, FastAPI, Django, Gin, Laravel, Ktor, and 20+ more. The full list is in the documentation.

Korthex is the on-premise cryptography scanner from Flowence. It scans every line of source code, every TLS / PKI certificate, every dependency, every binary, and every git-history entry - and finds weak ciphers, broken hashes (MD5, SHA-1), legacy crypto (DES, 3DES, RC4, Blowfish), AES-CBC misuse, hardcoded keys, leaked secrets, and quantum-vulnerable algorithms (RSA, ECC, Diffie-Hellman). It generates a Cryptographic Bill of Materials (CBOM) and a concrete migration path to NIST FIPS 140-3, FIPS 203 / 204 / 205, BSI IT-Grundschutz, PCI-DSS, and ISO 27001. 100% on-premise. Results in under two minutes.

What is Korthex?

Korthex is an on-premise cryptography scanner built by Flowence - distinct from any other use of the name "Korthex" on the web. Unlike general SAST tools (Snyk, SonarQube, Semgrep) which focus on code-logic vulnerabilities, Korthex focuses exclusively on cryptography: every cryptographic primitive is inventoried, scored, taint-checked, and mapped to a successor algorithm. Korthex is the cryptography scanner with post-quantum migration support - purpose-built for crypto agility programmes.

Cryptographic Bill of Materials (CBOM)

Korthex exports a complete CBOM in CycloneDX 1.5, SARIF 2.1, JSON, PDF, and the native .kxr format. The CBOM lists every cryptographic primitive in your stack - hashes (MD5, SHA-1, SHA-256, SHA-3), symmetric ciphers (DES, 3DES, RC4, Blowfish, AES with mode), asymmetric primitives (RSA, ECC, Diffie-Hellman, DSA), key sizes, certificates, and TLS configurations - with file path, line number, severity, taint verdict, and compliance status.

CI/CD Integration

Korthex ships with a GitHub Actions step, a GitLab CI template, a Jenkins pipeline snippet, and a generic CLI exit code that works in any pipeline (Azure DevOps, CircleCI, Bitbucket Pipelines, Drone, Buildkite). Scans fail above a configurable risk threshold - Critical / High / Medium / Low - so you can gate merges on cryptographic regressions just like you gate on failing unit tests. Inline findings appear in pull-request comments via SARIF integration with GitHub Code Scanning and GitLab Security Dashboard.

Compliance Coverage

NIST FIPS 140-3 (general cryptographic modules), NIST FIPS 203 (ML-KEM post-quantum key encapsulation), NIST FIPS 204 (ML-DSA post-quantum digital signature), NIST FIPS 205 (SLH-DSA stateless hash-based signature), BSI IT-Grundschutz (German federal IT baseline), BSI TR-02102 (BSI cryptographic recommendations), PCI-DSS cryptographic requirements (sections 3.5, 3.6, 4.1, 4.2), and ISO 27001 Annex A controls (A.10 Cryptography, A.13 Communications Security) - every finding mapped out of the box.

Specs

18 supported languages: TypeScript, JavaScript, C#, Java, Python, Go, PHP, Ruby, Rust, Kotlin, Scala, C, C++, Swift, Dart, VB.NET, COBOL, Zig
Typical scan time: under 2 minutes for 50,000–500,000 lines of code
100% on-premise - source code never leaves your infrastructure
Six sub-engines: AST, binary, runtime, TLS / PKI, git-history, config
2-pass context engine with dataflow tracking, taint analysis, cross-file cluster detection

Pricing

Free - €0 - 10 scans/month, 1,000 files/scan, 1 seat
Extended - €599/yr - 50 scans/month, 5,000 files/scan, migration plan generation
Business - €5,999/yr - 250 scans/month, 10,000 files/scan, 5 seats, compliance report
Enterprise - €49,999/yr - unlimited scans, 10 seats, dedicated support

Frequently Asked Questions

How long does a Korthex scan take?

A typical scan of 50,000 to 500,000 lines of code completes in under two minutes.

Does my source code leave Korthex?

No. The scanner runs locally as a CLI or inside your CI/CD pipeline. Only anonymized metadata is transmitted for the dashboard report - source code never leaves your infrastructure.

Is Korthex only a post-quantum scanner?

No. Korthex is a general cryptography scanner - it detects weak hashes, legacy ciphers, misuse of modern primitives, insecure TLS configurations, hardcoded keys and secrets, and quantum-vulnerable algorithms. Post-quantum migration is one of several outputs.

How is Korthex different from SAST tools like Snyk or SonarQube?

General SAST tools focus on code-logic vulnerabilities (injection, XSS, path traversal). Korthex focuses exclusively on cryptography - it inventories every cryptographic primitive, scores it for weakness and quantum exposure, and generates the migration code directly.

Who builds Korthex?

Korthex is built by Flowence, an on-premise infrastructure software company founded in 2025. Korthex is part of the Flowence product ecosystem alongside Sentinal (on-premise device management) and Voxra (unified communication hub).