Where is quantum-vulnerable cryptography in your stack?
A Cryptographic Bill of Materials (CBOM) is the first step every PQC-migration guidance asks for. Get a quick A–F preview below — it runs entirely in your browser, nothing is uploaded — then run the full scan in your CI.
Full scan — free, in your CI
The open-source MIT scanner runs the complete rule set across your whole repository and emits a CycloneDX 1.6 CBOM, a SARIF report for your Security tab, and an embeddable A–F badge. Drop this step into any workflow — it is self-contained, no install step:
# .github/workflows/pqc-readiness.yml
name: PQC readiness
on: [push, pull_request]
jobs:
cbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Post-Quantum Readiness Scorecard
uses: brandonjsellam-Releone/pq-readiness-scorecard@v1
with:
path: .
fail-on: broken-classical # fail the build on broken crypto
# emits a CycloneDX 1.6 CBOM, a SARIF report (Security tab), and an A–F gradeOr run it locally from npm (open-source, MIT):
npx -p @trelyan/verify-pqc pqcbom .Need it signed and audit-ready?
An Evidence Pack Express turns the scan into a cryptographically signed deliverable — executive summary, A–F grade, findings, CBOM, and a migration plan — that your auditors, customers, or board can independently verify. Any alteration to the grade invalidates the signature.
Get a signed Evidence Pack →The preview and scanner are lexical — findings are leads to verify, not a complete inventory. Algorithm names denote the public standards they are based on, not a CMVP/FIPS-140 validation. This is not a certification and not a guarantee of quantum safety. See also our own CBOM and the developer API.