CBOM aggregator guide

What the aggregator does#

The CBOM aggregator merges cryptographic component records from cloud inventories, key managers, and CLM into one canonical tenant view suitable for readiness scoring and audit exports.

Data collection and aggregation#

• Source inventory status: GET /pqc/cbom/sources
• Trigger provider pull: POST /pqc/cbom/pull/{provider}
• Read merged output: GET /pqc/cbom/aggregate

Conflict resolution#

Mismatched records (algorithm, key size, ownership) surface as adjudication tasks.

• List unresolved conflicts: GET /pqc/cbom/conflicts
• Apply resolution strategy: PUT /pqc/cbom/conflicts/{conflict_id}

Drift and reporting#

Compare snapshots using GET /pqc/cbom/diff and pair with GET /pqc/report/{scan_id}?format=cbom to publish time-bound evidence for governance reviews.