How to Gate Your CI Pipeline on Quantum Vulnerability - with quantum-audit
Part 3 of the quantum-audit series. Part 1 | Part 2
๐ Tool: quantum-audit-site.vercel.app
Most security tools tell you there's a problem. Then you close the tab and forget about it. The only way to actually fix that is to make the problem block your deployment. quantum-audit exits with a non-zero code when it finds critical quantum-vulnerable cryptography. That means you can drop it into any CI pipeline and have it fail the build automatically. Here's how.
The exit code behaviour
npx quantum-audit .
echo $? # 0 = no critical findings, 1 = critical findings found
- Exit 0 - no critical findings (safe to deploy)
- Exit 1 - critical findings detected (block the build)
Medium findings (SHA-256, AES-128) don't fail the build - they appear in the output as warnings but don't block deployment. Only CRITICAL findings (RSA, ECDSA, secp256k1) cause a non-zero exit.
GitHub Actions
Add this to your .github/workflows/ci.yml:
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
quantum-audit:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run quantum-audit
run: npx quantum-audit .
If your project uses ethers, web3, elliptic, or any other ECDSA/RSA library - the step will fail and your PR cannot be merged until the finding is addressed.
JSON output for custom reporting
Need to parse the results programmatically? Use the --json flag:
npx quantum-audit . --json
Output:
{
"project": "my-dapp",
"score": 60,
"grade": "C - Moderate Exposure",
"findings": [
{
"algorithm": "ECDSA (secp256k1) signing",
"risk": "critical",
"weight": 40,
"file": "package.json",
"line": null,
"source": "ethers"
},
{
"algorithm": "SHA-256 (crypto.createHash)",
"risk": "medium",
"weight": 8,
"file": "src/utils/hash.js",
"line": 14
}
]
}
You can pipe this into a Slack notification, a dashboard, or a custom reporting step.
Slack notification on failure
Here's a GitHub Actions step that posts to Slack when critical findings are detected:
- name: Run quantum-audit
id: audit
run: npx quantum-audit . --json > audit-result.json || true
- name: Check for critical findings
run: |
SCORE=$(cat audit-result.json | python3 -c "import sys,json; print(json.load(sys.stdin)['score'])")
echo "Quantum readiness score: $SCORE"
if [ "$SCORE" -lt 70 ]; then
echo "CRITICAL: Quantum exposure score below threshold"
exit 1
fi
Soft mode - warn without blocking
If you're not ready to hard-fail on critical findings yet, use this pattern:
- name: Run quantum-audit (warn only)
run: npx quantum-audit . || echo "โ ๏ธ Quantum vulnerabilities detected - review before next release"
continue-on-error: true
This surfaces the findings in your CI logs without blocking the build. Good for teams that need a transition period before enforcing the gate.
What to do when the build fails
If quantum-audit fails your build, you have three options:
Option 1 - Accept the risk temporarily
Use continue-on-error: true in your CI step to warn without blocking while you plan a migration.
Option 2 - Migrate to a post-quantum library
NIST standardized the replacements in 2024:
- CRYSTALS-Dilithium - drop-in for ECDSA signatures
- CRYSTALS-Kyber - for key encapsulation
- SPHINCS+ - hash-based signatures (most conservative choice)
Option 3 - Scope the scan
If the vulnerable dependency is isolated to a specific non-critical part of your codebase, you can scope the scan:
npx quantum-audit ./src/critical-path
Only scan the directories that matter most.
Full workflow example
Here's a complete GitHub Actions workflow with quantum-audit integrated alongside your existing checks:
name: Security checks
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm install
- name: npm audit (classical vulnerabilities)
run: npm audit --audit-level=high
- name: quantum-audit (quantum vulnerabilities)
run: npx quantum-audit .
- name: quantum-audit JSON report
if: always()
run: npx quantum-audit . --json > quantum-report.json
- name: Upload quantum report
if: always()
uses: actions/upload-artifact@v4
with:
name: quantum-audit-report
path: quantum-report.json
This runs both npm audit (for classical CVEs) and quantum-audit (for quantum exposure) side by side, and uploads the full JSON report as a build artifact for review.
Install
npm install -g quantum-audit
# or
npx quantum-audit .
Are you running quantum-audit in CI? Drop your setup in the comments - I'd love to see how others are integrating it.
Comments
No comments yet. Start the discussion.