Scanner / CLI
Crypto Vulnerability Scanner CLI
Korthex is a cryptography vulnerability scanner built CLI-first: run one command locally or in CI, get every cryptographic weakness across source code in 18 languages, dependencies, binaries, TLS certificates, databases and git history, a gateable exit code, and a CBOM export in CycloneDX, SARIF, JSON or PDF. Under two minutes for 50,000 to 500,000 lines. 100% on-premise.
What one scan covers
- Weak and broken primitives: MD5, SHA-1, DES, 3DES, RC4, Blowfish
- Misuse of strong primitives: AES-ECB, CBC without integrity, missing IVs, key reuse, weak randomness
- Hardcoded keys, credentials and API tokens, including git history
- TLS and PKI: weak certificate signatures, short keys, expiry, insecure configuration
- Database and storage-layer cryptography state
- Quantum-vulnerable RSA, ECC, Diffie-Hellman and DSA, bucketed against FIPS 203 / 204 / 205
CLI-first by design
The exit code gates any pipeline; the formats feed any toolchain: CycloneDX and JSON for machines, SARIF for code-scanning UIs, PDF for auditors, plus the native .kxr format. It runs on Windows, Linux and macOS, works air-gapped, and the IntelliJ and VS Code plugins surface the same findings inline while you type. The dashboard is optional; only anonymized metadata ever leaves the machine, never source.
Five engines behind one command
Five correlating engines (Scanner, Context, KorthexNN, plus the binary and TLS / PKI analyzers) read the codebase as one pass. A 2-pass context engine adds dataflow tracking, taint analysis and cross-file union-find clustering, following values across 16 import hops, so findings reflect reachable reality instead of call-site pattern matches. Extracted cryptography is graded by emulation against NIST Known-Answer Tests: weak is proven, not guessed.
Start free
The Free plan includes 10 scans per month with up to 1,000 files per scan, one seat, no credit card: enough for open-source projects and a serious evaluation. Paid plans add scan volume, migration-plan generation, CI/CD templates and compliance reports.
Detection deep dives
- Weak Cipher Detection - DES, 3DES (Sweet32), RC4, Blowfish, AES-ECB, CBC without integrity
- MD5 / SHA-1 Detection - Broken hashes with taint verdicts and SHA-256 / SHA-3 migration
- TLS Certificate Audit - Certificates, keys and TLS configuration, fully on-premise
- Hardcoded Keys / Secrets - Credentials in source, config and full git history
Frequently asked questions
Which platforms does the CLI run on?
Windows, Linux and macOS, fully on-premise, including air-gapped operation.
Is there a free version?
Yes. The Free plan offers 10 scans per month, up to 1,000 files per scan and one seat, for open-source and solo developers.
What output formats exist?
CycloneDX, SARIF, JSON, PDF and the native .kxr format, all with file:line evidence, severity, taint verdict and compliance status per finding.
How fast is a scan?
Typically under two minutes for 50,000 to 500,000 lines of code, across all 18 supported languages.
Which languages are supported?
TypeScript, JavaScript, C#, Java, Python, Go, PHP, Ruby, Rust, Kotlin, Scala, C, C++, Swift, Dart, VB.NET, COBOL and Zig.