What's your code's post-quantum readiness grade?
The open-source CBOM scanner reads a repository and inventories the cryptography it depends on — flagging the quantum-vulnerable parts (RSA, elliptic-curve, classical TLS) — then emits a CycloneDX cryptographic bill of materials and an A–F grade you can show as a README badge. Free, open, and runs in your CI. It's a fast first signal of where you stand — not an audit.
A badge in three steps.
- Add the CBOM GitHub Action to your workflow (or run the CLI locally) — it's MIT and free.
- It scans your dependencies and source for cryptographic usage, classifies each as quantum-vulnerable or post-quantum, and writes a CycloneDX CBOM plus an A–F grade.
- Drop the badge in your README. It updates on every run, so your grade stays honest as your code changes.
Honest about what it is.
The grade reflects how much quantum-vulnerable cryptography a dependency-and-source scan could detect — a self-attested heuristic inventory from reference software, not a certification and not an exhaustive proof. An "A" is not a guarantee that a codebase is secure or fully post-quantum; an "F" is a prompt, not a verdict. It's the cheapest way to start the conversation and to track progress over time. For a thorough, signed assessment of your real posture, that's the Evidence Pack.
From a badge to a plan.
Your code stays yours.
The GitHub Action runs entirely in your CI — your source code never leaves your repository. The hosted badge preview processes only the manifest / scan summary you submit and stores no source code. The hosted scan worker is a preview, not a live production service; full data-handling details will be published with the hosted launch.
The CBOM scanner is open-source (MIT), unaudited reference software. The A–F grade is a self-attested preview signal from a heuristic dependency-and-source scan — it is NOT an audit, an assurance, a certification, or a guarantee that a codebase is secure or fully post-quantum. False negatives and false positives are possible. Use it to start and track a migration, not to certify one. Nothing here is an offer of any security, token, or financial instrument.