Your codebase almost certainly relies on RSA and elliptic-curve cryptography — TLS, JWTs, SSH keys, signed tokens. All of it is breakable by a large enough quantum computer (Shor's algorithm), and "harvest now, decrypt later" means data you encrypt today can be captured today and decrypted later. Regulators noticed: CNSA 2.0 (US federal + suppliers), DORA (EU financial entities, applies from Jan 2025), and NIS2 now mandate strict cryptographic risk management — which in practice means knowing where your quantum-vulnerable crypto lives, a cryptographic bill of materials (CBOM).
Most teams can't answer "where is our RSA/ECC?" off the top of their head. Here's how to make CI answer it for you, on every push, for free.
What we're building
A GitHub Action that scans your repo, grades its post-quantum readiness A–F, writes a CycloneDX 1.6 CBOM, and — if you want — fails the build when classically-broken crypto (MD5, RC4, 3DES, deprecated TLS) shows up.
Step 1 — try it in your browser first (30 seconds, nothing uploaded)













