PostQ CLI
One binary. Zero dependencies. Install it, run postq, and drop into a boxed interactive shell for TLS, source-code, and cloud KMS cryptographic risk scans.
Run postq. Scan, score, ship.
First launch prompts for your API key, saves it locally, and opens the PostQ shell. Use the same scanner commands interactively or one-shot in CI.
Install, then run postq.
The CLI ships as a single static binary. After any install command, run postq. The shell will ask for your API key and start immediately.
Homebrew
RecommendedmacOS · Linux
brew install PostQDev/tap/postqGo
Any platform with Go ≥ 1.23
go install github.com/postqdev/postq-cli/cmd/postq@latestDirect download
Linux · macOS · Windows
curl -sSL https://postq.dev/install.sh | shDownload v0.3.1
Static binaries for every common platform. Verify with checksums.txt.
From zero to first scan in 30 seconds.
Install the CLI
Pick any installer. Homebrew is the fastest path on macOS and Linux.
$brew install PostQDev/tap/postqStart the shell
First launch prompts for your API key, saves it to ~/.postq/config.json (0600), and drops you into the boxed shell.
$postqScan your source code
Local static analysis for weak randomness, MD5, SHA-1 signing, JWT alg:none, disabled TLS verify, and hardcoded keys.
$scan code .Scan a live host
Real TLS handshake. Reports cipher suites, certificate chain, signature algorithms, and post-quantum readiness.
$scan url example.com
Designed for CI, not just demos.
Fast cold start
~2 MB static binary. No JVM, no Python, no npm install. Cold-start under 50 ms in Lambda.
CI-friendly exit codes
Exit 0 on clean, exit 2 on Critical/High findings. Drop into any pipeline as a quality gate.
Parallel scans
Pass any number of hosts. Tune throughput with --concurrency. Results stream into one report.
Offline-capable
--no-upload runs the entire scan locally. Nothing leaves your machine. Use --json to pipe into anything.
Interactive by default
Run postq to open the boxed shell with onboarding, command history, paged output, and the rotating What's your Q? prompt.
Secure by default
API keys live in ~/.postq/config.json with 0600 permissions. Override with env vars in containers.
What’s next.
v0.1 ships scan url, v0.2 adds the interactive shell, scan code, and scan cloud aws, and v0.3 lands hybrid signing (postq sign / verify / keys). Here’s the rough plan for the next few releases.
postqBoxed interactive shell with API-key onboarding, command history, and paged output.
postq scan urlReal TLS handshake, full chain analysis, parallel multi-host scans.
postq scan listPull recent scans uploaded by your org, table or JSON.
postq scan code <path>Local static crypto-misuse scan for weak randomness, MD5, SHA-1 signing, JWT alg:none, disabled TLS verification, and hardcoded keys.
postq scan cloud awsServer-side AWS KMS inventory using your account and role ARN.
postq scan k8sWalk a kubeconfig: TLS Secrets, Ingress certs, mesh mTLS policies.
postq scan cloud azure / gcpEnumerate Key Vault, Cloud KMS, certificates, load balancers, and secret stores.
postq scan bulk --file targets.txtFan-out over a list of hosts. Single rolled-up risk report.
postq sign / verify / keysHybrid ML-DSA + Ed25519 signing operations matching the SDKs. Exits 2 on verify failure for CI gating.
Output formats: SARIF, JUnit, CSVDrop straight into GitHub code scanning, Jenkins reports, spreadsheets.
Run your first scan
Install the CLI, run postq, paste your API key, then scan hosts, code, and AWS KMS from the shell.