PostQuantum CBOM for .NET

Cryptographic inventory and PQC readiness, inside VS Code. Find RSA, ECC, weak crypto, and quantum-migration risk in your .NET solution — with a live readiness score and prioritized actions.

Find your crypto before quantum does.

What it does

• PQC Readiness dashboard — a single panel showing your 0–100 readiness score, critical/high/medium counts, quantum-vulnerable vs. classical-weakness split, baseline delta, and the top migration actions.
• Crypto inventory sidebar — the highest-priority findings at a glance, each linking to its rule documentation.
• Status-bar score — PQC: 64/100, coloured by posture, one click to the dashboard.
• One-click HTML report and CBOM: Add GitHub Action to scaffold a CI gate.

It drives the dotnet-cbom CLI and reads its versioned JSON contract — so the editor view always matches what your CI produces.

Want squiggles as you type?

This extension is the dashboard and inventory layer. For inline diagnostics on weak crypto as you type (in every IDE and on dotnet build), add the companion Roslyn analyzer:

dotnet add package PostQuantum.CryptographicBillOfMaterials.Analyzer

Requirements

Install the CLI once (the extension calls it):

dotnet tool install -g PostQuantum.CryptographicBillOfMaterials.Cli

If dotnet-cbom isn't on your PATH, set cbom.cliPath in settings.

Local-first, by design

• Runs entirely on your machine. No source code is uploaded.
• No cloud analysis. No telemetry.
• Uses the dotnet-cbom CLI you installed — nothing else phones home.

Settings

Honesty note

A clean scan means “no detectable issues in analyzed source,” not “the system is quantum-safe.” Static analysis cannot see runtime- or config-driven crypto. See the project docs.

Apache-2.0 · Source & issues