How to Gate Your CI Pipeline on Quantum Vulnerability โ€” with quantum-audit
DEV Community

How to Gate Your CI Pipeline on Quantum Vulnerability - with quantum-audit

Part 3 of the quantum-audit series. Part 1 | Part 2

๐ŸŒ Tool: quantum-audit-site.vercel.app

Most security tools tell you there's a problem. Then you close the tab and forget about it. The only way to actually fix that is to make the problem block your deployment. quantum-audit exits with a non-zero code when it finds critical quantum-vulnerable cryptography. That means you can drop it into any CI pipeline and have it fail the build automatically. Here's how.

The exit code behaviour

npx quantum-audit .
echo $?  # 0 = no critical findings, 1 = critical findings found
  • Exit 0 - no critical findings (safe to deploy)
  • Exit 1 - critical findings detected (block the build)

Medium findings (SHA-256, AES-128) don't fail the build - they appear in the output as warnings but don't block deployment. Only CRITICAL findings (RSA, ECDSA, secp256k1) cause a non-zero exit.

GitHub Actions

Add this to your .github/workflows/ci.yml:

name: CI
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
  quantum-audit:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Run quantum-audit
        run: npx quantum-audit .

If your project uses ethers, web3, elliptic, or any other ECDSA/RSA library - the step will fail and your PR cannot be merged until the finding is addressed.

JSON output for custom reporting

Need to parse the results programmatically? Use the --json flag:

npx quantum-audit . --json

Output:

{
  "project": "my-dapp",
  "score": 60,
  "grade": "C - Moderate Exposure",
  "findings": [
    {
      "algorithm": "ECDSA (secp256k1) signing",
      "risk": "critical",
      "weight": 40,
      "file": "package.json",
      "line": null,
      "source": "ethers"
    },
    {
      "algorithm": "SHA-256 (crypto.createHash)",
      "risk": "medium",
      "weight": 8,
      "file": "src/utils/hash.js",
      "line": 14
    }
  ]
}

You can pipe this into a Slack notification, a dashboard, or a custom reporting step.

Slack notification on failure

Here's a GitHub Actions step that posts to Slack when critical findings are detected:

- name: Run quantum-audit
  id: audit
  run: npx quantum-audit . --json > audit-result.json || true
- name: Check for critical findings
  run: |
    SCORE=$(cat audit-result.json | python3 -c "import sys,json; print(json.load(sys.stdin)['score'])")
    echo "Quantum readiness score: $SCORE"
    if [ "$SCORE" -lt 70 ]; then
      echo "CRITICAL: Quantum exposure score below threshold"
      exit 1
    fi

Soft mode - warn without blocking

If you're not ready to hard-fail on critical findings yet, use this pattern:

- name: Run quantum-audit (warn only)
  run: npx quantum-audit . || echo "โš ๏ธ Quantum vulnerabilities detected - review before next release"
  continue-on-error: true

This surfaces the findings in your CI logs without blocking the build. Good for teams that need a transition period before enforcing the gate.

What to do when the build fails

If quantum-audit fails your build, you have three options:

Option 1 - Accept the risk temporarily

Use continue-on-error: true in your CI step to warn without blocking while you plan a migration.

Option 2 - Migrate to a post-quantum library

NIST standardized the replacements in 2024:

  • CRYSTALS-Dilithium - drop-in for ECDSA signatures
  • CRYSTALS-Kyber - for key encapsulation
  • SPHINCS+ - hash-based signatures (most conservative choice)

Option 3 - Scope the scan

If the vulnerable dependency is isolated to a specific non-critical part of your codebase, you can scope the scan:

npx quantum-audit ./src/critical-path

Only scan the directories that matter most.

Full workflow example

Here's a complete GitHub Actions workflow with quantum-audit integrated alongside your existing checks:

name: Security checks
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install dependencies
        run: npm install
      - name: npm audit (classical vulnerabilities)
        run: npm audit --audit-level=high
      - name: quantum-audit (quantum vulnerabilities)
        run: npx quantum-audit .
      - name: quantum-audit JSON report
        if: always()
        run: npx quantum-audit . --json > quantum-report.json
      - name: Upload quantum report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: quantum-audit-report
          path: quantum-report.json

This runs both npm audit (for classical CVEs) and quantum-audit (for quantum exposure) side by side, and uploads the full JSON report as a build artifact for review.

Install

npm install -g quantum-audit
# or
npx quantum-audit .

Are you running quantum-audit in CI? Drop your setup in the comments - I'd love to see how others are integrating it.

Comments

No comments yet. Start the discussion.