The Linux Foundation Projects
Skip to main content
Blog

PQCA announces CBOMkit: Advanced Tools for Generating and Analyzing Cryptographic Bills of Materials

By August 1, 2025No Comments

The PQCA (Post Quantum Cryptography Alliance) Tooling Group is excited to announce the release of the CBOMkit tool suite, now officially maintained by PQCA. CBOMkit offers a robust set of tools for scanning source code, detecting cryptographic assets, and generating Cryptographic Bills of Materials (CBOM).

CBOM extends the concept of a Software Bill of Materials (SBOM) by providing a standardized, machine-readable format for cataloging cryptographic assets—including algorithms, protocols, certificates, keys, tokens, secrets, and passwords—and their dependencies. This enables automated reasoning about cryptographic usage and supports policy-based compliance checks.

CBOMkit includes a range of tools to fit various use cases:

  • Sonar-cryptography: A plugin for the SonarQube server which currently analyzes Java and Python source code. It detects cryptographic assets and produces CBOM objects with precise location data for each finding. Sonar-cryptography serves as the foundation for other CBOMkit tools.
  • CBOMkit: A service that clones GitHub repositories, scans their source code for cryptographic assets, and generates corresponding CBOM objects. The service features a front-end GUI for viewing analysis results, a server that interfaces with Sonar-cryptography, and a database for storing CBOMs. The GUI can also be used in standalone mode to visualize CBOM files produced externally.
  • CBOMkit-action: A GitHub Action available on the GitHub Marketplace that can be embedded into CI/CD pipelines. It scans all project modules within a repository, generates CBOM objects for each module, and produces a consolidated CBOM file for the entire repository. All CBOM objects are uploaded as JSON files in a GitHub workflow artifact.
  • CBOMkit-theia: A tool for analyzing container images (Docker or OCI). It scans the image file system to identify cryptographic assets in certificates, secrets, and Java security configurations. These findings can be merged with source code CBOMs to provide a comprehensive view of the cryptographic posture of containerized applications.

We invite you to check out the CBOMkit tool suite and integrate it into your cryptographic asset management and compliance workflows. Your feedback is invaluable – please share your experiences, suggestions, or any challenges you encounter. We also invite you to become a code contributor and join the PQCA Tooling Working Group’s calls to help shape the future of post-quantum cryptographic tooling with a strong, collaborative community.

Links and References