QCecuring - Enterprise Security Solutions

Node.js Cryptographic Scanning

CBOM

Scan Node.js codebases for cryptographic usage — detect crypto module calls, TLS configurations, and deprecated algorithms across your JavaScript applications.

View docs

Overview

QCecuring’s CBOM scanner analyzes Node.js and JavaScript source code to discover all cryptographic operations — from the built-in crypto and tls modules to third-party libraries like node-forge, jose, jsonwebtoken, and bcrypt. The scanner identifies algorithms, key sizes, cipher configurations, and deprecated patterns across your Node.js application portfolio.

Key capabilities

  • Detect crypto.createHash(), crypto.createCipheriv(), crypto.createSign() calls and extract algorithm strings.
  • Scan crypto.generateKeyPair() and crypto.generateKey() for key type and size parameters.
  • Identify tls.createServer() and https.createServer() configurations for TLS versions and cipher suites.
  • Analyze node-forge usage for certificate operations, key generation, and PKCS operations.
  • Detect jsonwebtoken and jose library usage for JWT signing algorithm selection.
  • Flag deprecated patterns: MD5 hashing, DES encryption, RC4, weak HMAC keys.
  • Scan package.json and package-lock.json for crypto library dependencies and versions.

Typical use cases

  • Security teams auditing Express, Fastify, and NestJS applications for weak cryptographic patterns.
  • DevSecOps teams integrating crypto scanning into Node.js CI/CD pipelines.
  • Organizations inventorying JWT signing algorithms across their API services.
  • Teams preparing Node.js applications for PQC migration by cataloging current crypto usage.

Detected patterns

Module / LibraryWhat’s Scanned
cryptocreateHash(), createCipheriv(), createSign(), createHmac(), generateKeyPair()
tls / httpsTLS version settings, cipher suite configuration, certificate options
node-forgeRSA/EC key generation, certificate creation, PKCS#12 operations
jsonwebtokenjwt.sign() algorithm parameter (HS256, RS256, ES256, etc.)
joseKey import/export, JWE/JWS algorithm selection
bcrypt / argon2Password hashing algorithm and cost parameters
crypto-jsAES, DES, 3DES, RC4, MD5, SHA usage in browser-compatible crypto
sodium-nativelibsodium bindings for encryption, signing, key exchange

High-level integration flow

  1. QCecuring scans Node.js repositories via Git integration or local filesystem access.
  2. AST-based analysis identifies crypto module calls, algorithm strings, and configuration patterns.
  3. Package manifests are parsed for crypto library dependencies and versions.
  4. Discovered crypto usage is normalized into CycloneDX CBOM format with algorithm details.
  5. Results feed into the centralized CBOM inventory with PQC readiness scoring per finding.

Need help integrating QCecuring with Node.js Cryptographic Scanning?

Talk to an Engineer ← All Integrations

Ready to Secure Your Enterprise?

Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.

Request a Demo Talk to Sales

Stay ahead on cryptography & PKI

Get monthly insights on certificate management, post-quantum readiness, and enterprise security. No spam.

We respect your privacy. Unsubscribe anytime.