Skip to content

feat(pqc): add CBOM endpoint, quantum risk scoring, NCSC and ENISA fr…#187

Merged
Vishnu2707 merged 1 commit into
devfrom
feat/pqc-cbom-expansion
Jul 14, 2026
Merged

feat(pqc): add CBOM endpoint, quantum risk scoring, NCSC and ENISA fr…#187
Vishnu2707 merged 1 commit into
devfrom
feat/pqc-cbom-expansion

Conversation

@Vishnu2707

Copy link
Copy Markdown
Member

What does this PR do?

Expands OpenShield's post-quantum cryptography capabilities to world-class level.
Adds structured CBOM output, quantum risk scoring per asset, NCSC UK and ENISA
framework mappings, Harvest Now Decrypt Later exposure analysis, and a
three-phase migration roadmap API.

Type of change

  • New scan rule
  • API endpoint
  • Compliance mapping
  • Documentation

What's included

Quantum Risk Scoring

  • Each PQC finding now includes a quantum risk score 1-10
  • Scores based on algorithm type, internet exposure, and HNDL risk
  • Migration priority HIGH/MEDIUM/LOW per asset
  • Recommended target algorithm from NIST FIPS 203/204/205

CBOM API Endpoints

  • GET /api/cbom - full Cryptographic Bill of Materials from latest scan
  • GET /api/cbom/summary - summary and top 5 highest risk assets
  • GET /api/cbom/migration-roadmap - three phase migration plan

New Compliance Frameworks

  • NCSC UK Post-Quantum Cryptography Migration Guidance
  • ENISA Post-Quantum Cryptography Recommendations
  • Both mapped to AZ-PQC-001, AZ-PQC-002, AZ-PQC-003

RAG Skill Update

  • NCSC and ENISA guidance added to PQC knowledge skill
  • HNDL risk assessment section
  • CBOM schema documentation

Testing

  • 25 focused tests passed
  • CBOM route contract checks passed
  • All six compliance JSON files validated
  • ruff check and ruff format passed
  • No hardcoded credentials or secrets
  • No AI or co-author traces

Why this matters

OpenShield is now the only free Azure security tool that:

  • Generates a structured CBOM for Azure cryptographic assets
  • Calculates per-asset quantum risk scores
  • Maps findings to NIST, NCSC UK, and ENISA PQC guidance simultaneously
  • Provides a prioritised migration roadmap via API
  • Surfaces Harvest Now Decrypt Later exposure risk

Closes #[add issue number]

…amework mappings, HNDL exposure window and migration roadmap

Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@Vishnu2707
Vishnu2707 requested a review from TFT444 July 14, 2026 00:12
@ritiksah141
ritiksah141 removed the request for review from TFT444 July 14, 2026 00:12
@Vishnu2707
Vishnu2707 merged commit 5e26cf4 into dev Jul 14, 2026
19 checks passed
@Vishnu2707
Vishnu2707 deleted the feat/pqc-cbom-expansion branch July 14, 2026 00:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants