video1.0<iframe src="https://www.loom.com/embed/e511ee55a22f4002b3566ce37a178043" frameborder="0" width="1728" height="1296" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>12961728Loomhttps://www.loom.com12961728https://cdn.loom.com/sessions/thumbnails/e511ee55a22f4002b3566ce37a178043-a0dc4f0679dc6ee0.gif383.795This Loom explains how Spice Labs helps security teams inventory and assess where cryptography is used for post-quantum cryptography without requiring changes from engineering teams. It generates cryptographic bills of materials from post-build artifacts such as Maven packages and Docker images by using a CLI command to discover packages in a configured repository, taking about 1737 milliseconds (roughly 5 seconds) to find 2800 packages in one example. It then uses another command to pull those packages, perform artifact dependency graph survey and static analysis, and generate CycloneDX 1.6 Seabombs, showing findings like MD5 message digest use with call sites and status indicators. On the author’s machine, downloading and processing an artifact takes about 45 seconds per artifact.