Assess workflow

Workflow overview#

1. Start a scan with POST /pqc/scan.
2. Check progress via GET /pqc/scan-status/{scan_id}.
3. Export evidence with GET /pqc/report/{scan_id}.
4. Validate signatures through GET /pqc/verify/{scan_id} or POST /pqc/verify.

1) Start the scan#

Use fixture mode for deterministic demos and live mode for external target inventory. For async scans, persist complete output to tenant history with POST /pqc/scan/{scan_id}/persist so downstream workflows can consume a stable result set.

2) Poll until complete#

Polling should treat status transitions as stateful events, not just progress percentages. Once status reaches complete, query GET /pqc/report/{scan_id}/availability to pick the final output format (json, csv, cbom, pdf).

3) Produce report artifacts#

• JSON for machine workflows: GET /pqc/report/{scan_id}
• CBOM evidence: GET /pqc/report/{scan_id}?format=cbom
• Human-readable audit packet: GET /pqc/report/{scan_id}?format=pdf

4) Verify and share confidence#

Verification checks report content hash, signer identity, and optional transparency inclusion. Continue with the Verify tool and the Verify specification for offline controls in CI and customer assurance workflows.