@@ -153,15 +153,32 @@ CryptoDeps goes beyond simple dependency scanning by analyzing your code's call
153153| Python | ` requirements.txt ` , ` pyproject.toml ` , ` Pipfile ` |
154154| Maven | ` pom.xml ` |
155155
156+ ### Workspace & Monorepo Support
157+
158+ CryptoDeps automatically discovers all manifest files in workspaces and monorepos:
159+
160+ - ** npm/yarn/pnpm** : Detects ` workspaces ` in package.json and pnpm-workspace.yaml
161+ - ** Go** : Detects ` go.work ` files and all ` go.mod ` in subdirectories
162+ - ** Recursive discovery** : Walks directory tree to find all manifests
163+ - ** Smart filtering** : Skips node_modules, vendor, .git, build directories
164+
165+ ``` bash
166+ # Scan entire monorepo - finds all projects automatically
167+ cryptodeps analyze /path/to/monorepo
168+
169+ # Disable workspace discovery (scan single manifest only)
170+ cryptodeps analyze /path/to/monorepo --no-workspaces
171+ ```
172+
156173### Quantum Risk Classification
157174
158175Every finding is classified by quantum computing threat level:
159176
160177| Symbol | Risk Level | Quantum Threat | Examples |
161178| --------| ------------| ----------------| ----------|
162- | ` [!] ` | VULNERABLE | Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
163- | ` [~] ` | PARTIAL | Grover's algorithm | AES-128, SHA-256, HMAC-SHA256 |
164- | ` [OK] ` | SAFE | Resistant | AES-256, SHA-384+, ChaCha20, Argon2 |
179+ | 🔴 | VULNERABLE | Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
180+ | 🟡 | PARTIAL | Grover's algorithm | AES-128, SHA-256, HMAC-SHA256 |
181+ | 🟢 | SAFE | Resistant | AES-256, SHA-384+, ChaCha20, Argon2 |
165182
166183### Smart Remediation
167184
@@ -209,6 +226,7 @@ Analyze Flags:
209226 --reachability Analyze call graph for actual crypto usage (default true, Go only)
210227 --deep Force AST analysis for packages not in database
211228 --offline Use only local database, skip auto-updates
229+ --no-workspaces Disable workspace discovery (scan single manifest only)
212230 --risk string Filter by risk: vulnerable, partial, all
213231 --min-severity string Minimum severity to report
214232 -h, --help Show help
@@ -244,38 +262,43 @@ cryptodeps status
244262## Sample Output
245263
246264```
247- Scanning go.mod... found 36 dependencies
265+ [*] Scanning go.mod... found 36 dependencies
248266
249- CONFIRMED - Actually used by your code (requires action):
267+ [!] CONFIRMED - Actually used by your code (requires action):
250268──────────────────────────────────────────────────────────────────────────────────────────
251- [!] Ed25519 VULNERABLE [short-term] Effort: Low (simple change)
269+ 🔴 Ed25519 VULNERABLE 1-2yr low
252270 └─ golang.org/x/crypto@v0.31.0
253271 > Called from: crypto.GenerateEd25519KeyPair
254272 > Called from: crypto.SignMessage
255273
256- [~] HS256 PARTIAL [medium-term] Effort: Low (simple change)
274+ 🟡 HS256 PARTIAL - low
257275 └─ github.com/golang-jwt/jwt/v5@v5.3.0
258276 > Called from: auth.JWTService.GenerateAccessToken
259277
260- AVAILABLE - In dependencies but not called (lower priority):
278+ 🟢 bcrypt SAFE - -
279+ └─ golang.org/x/crypto@v0.31.0
280+ > Called from: auth.HashPassword
281+
282+ [.] AVAILABLE - In dependencies but not called (lower priority):
261283──────────────────────────────────────────────────────────────────────────────────────────
262284 golang.org/x/crypto@v0.31.0
263- └─ [!] X25519, [OK] ChaCha20-Poly1305, [OK] Argon2
285+ └─ 🔴 X25519, 🟢 ChaCha20-Poly1305, 🟢 Argon2
264286
265287══════════════════════════════════════════════════════════════════════════════════════════
266288SUMMARY: 36 deps | 2 with crypto | 8 vulnerable | 2 partial
267- REACHABILITY: 2 confirmed | 0 reachable | 11 available-only
289+ REACHABILITY: 3 confirmed | 0 reachable | 11 available-only
268290
269- REMEDIATION - Action Required :
291+ REMEDIATION GUIDANCE :
270292══════════════════════════════════════════════════════════════════════════════════════════
271293
272- [!] Ed25519
294+ 🔴 Ed25519 [PRIORITY]
273295──────────────────────────────────────────────────
274- Action: Plan migration to ML-DSA; prioritize if signing long-lived data
275- Replace: ML-DSA-65 (FIPS 204)
276- Timeline: Short-term (1-2 years)
277- Effort: Low (simple change)
278- Libraries: github.com/cloudflare/circl/sign/mldsa
296+ Action: Plan migration to ML-DSA; prioritize if signing long-lived data
297+ Replace with: ML-DSA-65 (FIPS 204)
298+ NIST: FIPS 204
299+ Timeline: Short-term (1-2 years)
300+ Effort: Low (simple change)
301+ Libraries: github.com/cloudflare/circl/sign/mldsa
279302```
280303
281304---
@@ -424,7 +447,7 @@ qramm-cryptodeps/
424447
425448## Roadmap
426449
427- ### v1.0 (Current Release)
450+ ### v1.2 (Current Release)
428451
429452- [x] Multi-ecosystem dependency scanning (Go, npm, Python, Maven)
430453- [x] Reachability analysis for Go projects
@@ -433,8 +456,10 @@ qramm-cryptodeps/
433456- [x] Smart remediation guidance with NIST references
434457- [x] GitHub repository URL scanning
435458- [x] Curated database of 1,100+ packages
459+ - [x] Workspace & monorepo support (npm, pnpm, Go workspaces)
460+ - [x] Multi-project aggregated results
436461
437- ### v1.1 (Next)
462+ ### v1.3 (Next)
438463
439464- [ ] Improved reachability for npm/Python projects
440465- [ ] Transitive dependency crypto inheritance
0 commit comments