Pre-audit reference work — deliverables are self-attested and independently verifiable; third-party audit in procurement. No certification implied.
§ PQ Readiness Badge · Free

What's your code's post-quantum readiness grade?

The open-source CBOM scanner reads a repository and inventories the cryptography it depends on — flagging the quantum-vulnerable parts (RSA, elliptic-curve, classical TLS) — then emits a CycloneDX cryptographic bill of materials and an A–F grade you can show as a README badge. Free, open, and runs in your CI. It's a fast first signal of where you stand — not an audit.

A SELF-ATTESTED Self-attested heuristic preview — not a certified security rating.

A badge in three steps.

  1. Add the CBOM GitHub Action to your workflow (or run the CLI locally) — it's MIT and free.
  2. It scans your dependencies and source for cryptographic usage, classifies each as quantum-vulnerable or post-quantum, and writes a CycloneDX CBOM plus an A–F grade.
  3. Drop the badge in your README. It updates on every run, so your grade stays honest as your code changes.
# .github/workflows/cbom.yml — add the step, get a badge - uses: brandonjsellam-Releone/verify-pqc/packages/verify-pqc/pqcbom-action@main # (path-ref works today; a Marketplace listing is planned, not yet published)

Honest about what it is.

The grade reflects how much quantum-vulnerable cryptography a dependency-and-source scan could detect — a self-attested heuristic inventory from reference software, not a certification and not an exhaustive proof. An "A" is not a guarantee that a codebase is secure or fully post-quantum; an "F" is a prompt, not a verdict. It's the cheapest way to start the conversation and to track progress over time. For a thorough, signed assessment of your real posture, that's the Evidence Pack.

From a badge to a plan.

Your code stays yours.

The GitHub Action runs entirely in your CI — your source code never leaves your repository. The hosted badge preview processes only the manifest / scan summary you submit and stores no source code. The hosted scan worker is a preview, not a live production service; full data-handling details will be published with the hosted launch.

Free · open source · preview signal · not an assurance

The CBOM scanner is open-source (MIT), unaudited reference software. The A–F grade is a self-attested preview signal from a heuristic dependency-and-source scan — it is NOT an audit, an assurance, a certification, or a guarantee that a codebase is secure or fully post-quantum. False negatives and false positives are possible. Use it to start and track a migration, not to certify one. Nothing here is an offer of any security, token, or financial instrument.