<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Brandon Sellam</title>
    <description>The latest articles on DEV Community by Brandon Sellam (@brandonsellam).</description>
    <link>https://dev.to/brandonsellam</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015677%2F125f8fb5-66c8-4d47-8e5c-c5333ef1c2c0.png</url>
      <title>DEV Community: Brandon Sellam</title>
      <link>https://dev.to/brandonsellam</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/brandonsellam"/>
    <language>en</language>
    <item>
      <title>Add a post-quantum readiness gate to your CI in 5 lines</title>
      <dc:creator>Brandon Sellam</dc:creator>
      <pubDate>Sun, 05 Jul 2026 03:00:33 +0000</pubDate>
      <link>https://dev.to/brandonsellam/add-a-post-quantum-readiness-gate-to-your-ci-in-5-lines-2bg3</link>
      <guid>https://dev.to/brandonsellam/add-a-post-quantum-readiness-gate-to-your-ci-in-5-lines-2bg3</guid>
      <description>&lt;p&gt;Your codebase almost certainly relies on RSA and elliptic-curve cryptography — TLS, JWTs, SSH keys, signed tokens. All of it is breakable by a large enough quantum computer (Shor's algorithm), and "harvest now, decrypt later" means data you encrypt &lt;em&gt;today&lt;/em&gt; can be captured today and decrypted later. Regulators noticed: &lt;strong&gt;CNSA 2.0&lt;/strong&gt; (US federal + suppliers), &lt;strong&gt;DORA&lt;/strong&gt; (EU financial entities, applies from Jan 2025), and &lt;strong&gt;NIS2&lt;/strong&gt; now mandate strict cryptographic risk management — which in practice means knowing where your quantum-vulnerable crypto lives, a &lt;em&gt;cryptographic bill of materials&lt;/em&gt; (CBOM).&lt;/p&gt;

&lt;p&gt;Most teams can't answer "where is our RSA/ECC?" off the top of their head. Here's how to make CI answer it for you, on every push, for free.&lt;/p&gt;

&lt;h2&gt;
  
  
  What we're building
&lt;/h2&gt;

&lt;p&gt;A GitHub Action that scans your repo, grades its post-quantum readiness &lt;strong&gt;A–F&lt;/strong&gt;, writes a &lt;strong&gt;CycloneDX 1.6 CBOM&lt;/strong&gt;, and — if you want — &lt;strong&gt;fails the build&lt;/strong&gt; when classically-broken crypto (MD5, RC4, 3DES, deprecated TLS) shows up.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 1 — try it in your browser first (30 seconds, nothing uploaded)
&lt;/h2&gt;

&lt;p&gt;Before touching CI, paste a &lt;code&gt;package.json&lt;/code&gt; / &lt;code&gt;requirements.txt&lt;/code&gt; / cipher list into the in-browser scanner and see your grade. It runs entirely client-side — no upload: &lt;strong&gt;&lt;a href="https://throndar.ai/cbom" rel="noopener noreferrer"&gt;https://throndar.ai/cbom&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 2 — add it to CI (the 5 lines)
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# .github/workflows/pqc-readiness.yml&lt;/span&gt;
&lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PQC readiness&lt;/span&gt;
&lt;span class="na"&gt;on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;push&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="nv"&gt;pull_request&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
&lt;span class="na"&gt;jobs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;scan&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;brandonjsellam-Releone/pq-readiness-scorecard@v1&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's it. The Action is self-contained and dependency-free — no &lt;code&gt;npm install&lt;/code&gt;, no setup step. On the next push it prints a scorecard to the job summary:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Post-Quantum Readiness Scorecard: D  (52/100) — Quantum-vulnerable — migrate
3 files · broken-classical 0 · quantum-broken 4 · weakened 1 · resistant 0
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 3 — see findings in the Security tab (SARIF)
&lt;/h2&gt;

&lt;p&gt;The Action emits SARIF 2.1.0. Upload it and every finding shows up as a code-scanning alert:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;id&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;pqc&lt;/span&gt;
        &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;brandonjsellam-Releone/pq-readiness-scorecard@v1&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;github/codeql-action/upload-sarif@v3&lt;/span&gt;
        &lt;span class="na"&gt;if&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;always()&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;sarif_file&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${{ steps.pqc.outputs.sarif-file }}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You also get &lt;code&gt;cbom.cdx.json&lt;/code&gt; (the CycloneDX CBOM) as a build artifact — feed it to any SBOM/CBOM tooling.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 4 — fail the build on broken crypto
&lt;/h2&gt;

&lt;p&gt;Grading is nice; a gate is better. Fail the build when anything classically-broken appears:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;fail-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;broken-classical&lt;/span&gt;        &lt;span class="c1"&gt;# or: broken-classical,quantum-broken&lt;/span&gt;
          &lt;span class="c1"&gt;# min-grade: B                    # optional: fail below grade B&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now a PR that adds &lt;code&gt;hashlib.md5()&lt;/code&gt; or &lt;code&gt;TLSv1.0&lt;/code&gt; goes red before it merges.&lt;/p&gt;

&lt;h2&gt;
  
  
  Which findings do you fix first? (harvest-now-decrypt-later)
&lt;/h2&gt;

&lt;p&gt;Not every quantum-vulnerable finding is equally urgent. &lt;strong&gt;Key establishment&lt;/strong&gt; — ECDH, Diffie-Hellman, RSA key transport (RSA-OAEP, static-RSA TLS) — is the most time-critical: an adversary can record your encrypted traffic &lt;strong&gt;today&lt;/strong&gt; and decrypt it later once a quantum computer exists ("harvest now, decrypt later"). Signatures are less urgent — forging one needs a quantum computer &lt;em&gt;at signing time&lt;/em&gt;, not retroactively. The scanner tags the harvest-now findings and puts them first in the migration plan, so you don't waste the early budget on the wrong things.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it actually detects
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Quantum-broken (Shor):&lt;/strong&gt; RSA, ECDSA, ECDH, finite-field DH, EC curves, RSA/ECDSA JWTs, SSH RSA/ECDSA keys.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hardcoded JWTs:&lt;/strong&gt; it decodes the token &lt;strong&gt;header&lt;/strong&gt; (base64url segment only — never the payload, so no secrets end up in a finding) and classifies the &lt;code&gt;alg&lt;/code&gt;: &lt;code&gt;RS256&lt;/code&gt;/&lt;code&gt;ES256&lt;/code&gt;/&lt;code&gt;PS256&lt;/code&gt; → Shor-broken, &lt;code&gt;HS256&lt;/code&gt; → Grover-weakened, &lt;code&gt;alg:none&lt;/code&gt; → critical unsigned.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Quantum-weakened (Grover):&lt;/strong&gt; AES-128/192 (Grover's quadratic speedup reduces effective security — enough to prefer AES-256); SHA-256 (collision resistance drops to ~2^85). SHA-384/512 stay fine.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Classically broken (fix today):&lt;/strong&gt; MD5, SHA-1, RC4, 3DES, Blowfish, deprecated TLS, NTLM, WEP.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Quantum-resistant:&lt;/strong&gt; ML-KEM, ML-DSA, SLH-DSA (the NIST FIPS 203/204/205 standards), AES-256, SHA-384, SHA-512, ChaCha20 (256-bit).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Broken PQ candidates:&lt;/strong&gt; it also flags SIKE/SIDH (broken by Castryck–Decru in 2022) and GeMSS — so a team that &lt;em&gt;thinks&lt;/em&gt; it migrated to post-quantum isn't left trusting something already broken.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It reads inline code, declared crypto libraries, numeric OIDs in certs/ASN.1, and base64/PEM key blobs.&lt;/p&gt;

&lt;h2&gt;
  
  
  Honest caveats (read these)
&lt;/h2&gt;

&lt;p&gt;It's a &lt;strong&gt;lexical&lt;/strong&gt; scan: findings are &lt;strong&gt;leads to verify, not a complete inventory&lt;/strong&gt;, and it is &lt;strong&gt;not a certification&lt;/strong&gt;. Algorithm names denote the public standards they're based on — not a CMVP/FIPS-140 validation. It won't fake a clean bill of health: a scan that examines zero files &lt;em&gt;refuses to grade&lt;/em&gt; rather than reporting "A". The scanner is open-source (MIT) — read it and re-run every finding yourself: &lt;a href="https://github.com/brandonjsellam-Releone/verify-pqc" rel="noopener noreferrer"&gt;github.com/brandonjsellam-Releone/verify-pqc&lt;/a&gt;. (Falcon, if you see it flagged, is FN-DSA for the forthcoming FIPS 206 — in development, not yet standardized.)&lt;/p&gt;

&lt;h2&gt;
  
  
  If your grade is bad
&lt;/h2&gt;

&lt;p&gt;Start with &lt;strong&gt;Phase 1&lt;/strong&gt;: rip out the classically-broken stuff (MD5/SHA-1/RC4/3DES, old TLS) — that's exploitable &lt;em&gt;today&lt;/em&gt;, quantum or not. Then plan the quantum-broken key-establishment (the harvest-now items) and signatures toward the NIST PQC standards, running classical+PQC in hybrid during the transition.&lt;/p&gt;

&lt;p&gt;If you need a signed, auditor-ready version of this — an &lt;strong&gt;Evidence Pack&lt;/strong&gt; with an executive summary, the grade, the findings, the CBOM, and a prioritized migration plan, cryptographically signed so your auditors can verify it hasn't been altered — that's at &lt;a href="https://throndar.ai/evidence" rel="noopener noreferrer"&gt;throndar.ai/evidence&lt;/a&gt;. But the free Action above is enough to answer the question every regulator is about to ask: &lt;em&gt;where is our quantum-vulnerable cryptography, and what's the plan?&lt;/em&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Built by TRELYAN Inc. The scanner and CLI are MIT. Feedback — especially false positives/negatives on real repos — is genuinely wanted: open an issue on the &lt;a href="https://github.com/brandonjsellam-Releone/verify-pqc" rel="noopener noreferrer"&gt;repo&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cryptography</category>
      <category>devops</category>
      <category>github</category>
    </item>
  </channel>
</rss>
