Add QuantumScan to Testing section

[gaiabio12-design]

Adding QuantumScan to the ## Testing section, listed alphabetically between PureSec and RetireJS.

QuantumScan is a free post-quantum cryptography scanner for GitHub repositories. It complements other security scanners listed here (Snyk, Checkov, ShiftLeft Scan) by focusing specifically on the cryptographic-asset inventory that DORA (EU 2022/2554) now requires from financial entities and NIS2 mandates for essential/important entities across 18 sectors.

Key features:

• CycloneDX 1.7 CBOM export (cryptographic-asset inventory format recommended by CISA)
• DORA / NIS2 compliance PDF with mapped Article-level findings
• AI-generated migration guides per finding pointing to NIST FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA)
• Slack drift alerts when new vulnerable algorithms appear between scans
• Privacy-first: scanner-core is MIT-licensed at https://github.com/quantumscan-io/scanner-core

The hosted version is free during the design partner phase. Fits the DevSecOps testing workflow as a static analysis step that maps directly to current regulatory frameworks (DORA active since Jan 2025).

Following the alphabetical convention of the section.

[gaiabio12-design]

Hi! Just a gentle reminder on this submission. Happy to make any adjustments if needed. Thanks for maintaining this list!

[gaiabio12-design]

Quick update: QuantumScan just merged its first community contribution — a developer independently added .NET / C# detection patterns (System.Security.Cryptography + BouncyCastle.NET). The project is MIT-licensed, community-driven, and the scanner-core is fully open source at github.com/quantumscan-io/scanner-core. Happy to address any feedback.

[gaiabio12-design]

Hi! Friendly ping on this PR.

Since the original submission, scanner-core has shipped several updates:

• Multi-language support now covers 12 languages including C# / .NET
• GitHub PR bot for automated PQC scanning on every pull request
• CycloneDX 1.7 CBOM export and DORA/NIS2 compliance PDF reports
• npx quantumscan . — no install, runs locally, code never leaves the machine

If there's any change needed to match the list's guidelines, happy to update. Thanks for maintaining this resource!

[gaiabio12-design]

Update on this submission.

scanner-core v1.2.0 adds native DevSecOps pipeline integration:

• --sarif flag — outputs SARIF 2.1.0 for upload to GitHub Security tab, GitLab SAST, and VS Code
• Dependency scanning — package.json, requirements.txt, go.mod, Cargo.toml, pom.xml scanned automatically for quantum-vulnerable packages
• // quantumscan-ignore — inline suppression for false positives

GitHub Actions one-liner:

- run: npx quantumscan . --sarif --no-fail > results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with: { sarif_file: results.sarif }

Release: https://github.com/quantumscan-io/scanner-core/releases/tag/v1.2.0