KORTHEXkorthex.flowence.cc

Scanner / CLI

Crypto Vulnerability Scanner CLI

Korthex is a cryptography vulnerability scanner built CLI-first: run one command locally or in CI, get every cryptographic weakness across source code in 18 languages, dependencies, binaries, TLS certificates, databases and git history, a gateable exit code, and a CBOM export in CycloneDX, SARIF, JSON or PDF. Under two minutes for 50,000 to 500,000 lines. 100% on-premise.

What one scan covers

  • Weak and broken primitives: MD5, SHA-1, DES, 3DES, RC4, Blowfish
  • Misuse of strong primitives: AES-ECB, CBC without integrity, missing IVs, key reuse, weak randomness
  • Hardcoded keys, credentials and API tokens, including git history
  • TLS and PKI: weak certificate signatures, short keys, expiry, insecure configuration
  • Database and storage-layer cryptography state
  • Quantum-vulnerable RSA, ECC, Diffie-Hellman and DSA, bucketed against FIPS 203 / 204 / 205

CLI-first by design

The exit code gates any pipeline; the formats feed any toolchain: CycloneDX and JSON for machines, SARIF for code-scanning UIs, PDF for auditors, plus the native .kxr format. It runs on Windows, Linux and macOS, works air-gapped, and the IntelliJ and VS Code plugins surface the same findings inline while you type. The dashboard is optional; only anonymized metadata ever leaves the machine, never source.

Five engines behind one command

Five correlating engines (Scanner, Context, KorthexNN, plus the binary and TLS / PKI analyzers) read the codebase as one pass. A 2-pass context engine adds dataflow tracking, taint analysis and cross-file union-find clustering, following values across 16 import hops, so findings reflect reachable reality instead of call-site pattern matches. Extracted cryptography is graded by emulation against NIST Known-Answer Tests: weak is proven, not guessed.

Start free

The Free plan includes 10 scans per month with up to 1,000 files per scan, one seat, no credit card: enough for open-source projects and a serious evaluation. Paid plans add scan volume, migration-plan generation, CI/CD templates and compliance reports.

Detection deep dives

Frequently asked questions

Which platforms does the CLI run on?

Windows, Linux and macOS, fully on-premise, including air-gapped operation.

Is there a free version?

Yes. The Free plan offers 10 scans per month, up to 1,000 files per scan and one seat, for open-source and solo developers.

What output formats exist?

CycloneDX, SARIF, JSON, PDF and the native .kxr format, all with file:line evidence, severity, taint verdict and compliance status per finding.

How fast is a scan?

Typically under two minutes for 50,000 to 500,000 lines of code, across all 18 supported languages.

Which languages are supported?

TypeScript, JavaScript, C#, Java, Python, Go, PHP, Ruby, Rust, Kotlin, Scala, C, C++, Swift, Dart, VB.NET, COBOL and Zig.