What SBOM formats does CRA Evidence support?

CRA Evidence supports CycloneDX (JSON and XML) and SPDX (JSON, tag-value, and RDF) formats. SBOMs can be uploaded via the web interface, REST API, or CI/CD CLI tool.

How does vulnerability scanning work?

CRA Evidence operates its own Vulnerability Knowledge Base, synced every 15 minutes from NVD/cvelistV5, OSV.dev (covering GitHub, Go, Rust, PyPI advisories), CISA KEV, and EPSS scoring. CRA Evidence vulnerability scanner runs as an independent verification layer. Each finding is enriched with EPSS exploit probability scores from FIRST.org and cross-referenced with the CISA KEV catalog for known-exploited vulnerabilities. Production versions are rescanned automatically when vulnerability databases update. Findings that you dismiss or suppress automatically generate draft VEX statements for batch review and CycloneDX export.

What is ENISA Article 14 reporting?

Article 14 of the Cyber Resilience Act requires manufacturers to report actively exploited vulnerabilities to ENISA and national CSIRTs within strict timelines: 24-hour early warning, 72-hour detailed report, and 14-day final report. CRA Evidence provides structured workflows and report generation for these obligations.

Does CRA Evidence support all CRA economic operator roles?

Yes. CRA Evidence provides dedicated workflows for all three CRA roles: Manufacturers (full compliance tooling), Importers (verification and due diligence), and Distributors (due care checks and documentation). Each role gets a tailored workspace with role-specific features.

Can CRA Evidence integrate with CI/CD pipelines?

Yes. CRA Evidence provides a CLI tool and REST API for CI/CD integration. You can upload SBOMs, check CRA compliance status, and gate releases based on vulnerability thresholds directly in your GitHub Actions, GitLab CI, or Jenkins pipelines.

CRA Compliance Platform | SBOM, VEX & ENISA Reporting

Artifact Management

Your SBOMs, validated and versioned

Drop in a CycloneDX or SPDX file. We validate it against BSI TR-03183 quality criteria, score its completeness, and keep audit-ready records for every product version.

CycloneDX and SPDX Format is auto-detected on upload. CycloneDX 1.6 schema validation, SPDX 2.2+ parsing.

TR-03183 quality scoring Weighted metrics for PURL, hashes, supplier, license, and version completeness.

HBOM and VEX support Hardware Bill of Materials and Vulnerability Exploitability eXchange extraction from CycloneDX.

Dependency graph visualization Interactive Mermaid.js component tree with transitive dependency expansion and click-to-navigate.

Version comparison and drift detection Diff SBOMs between versions. Detect new, removed, and modified components.

VEX authoring Create and publish Vulnerability Exploitability eXchange statements directly in-app. Export as CycloneDX VEX.

CycloneDX SPDX HBOM VEX SARIF

Quality Score

Automatic scoring against BSI TR-03183 standard with improvement recommendations.

Dependency Tree

Visualize direct and transitive dependencies with circular dependency detection.

Version Diff

Compare SBOMs across versions. Track what changed and why.

License Check

Identify problematic license combinations across your components.

Vulnerability Scanning

Detect new CVEs in minutes, not days

We sync vulnerability intelligence from NVD, OSV.dev, CISA KEV, and EPSS every 15 minutes, then re-verify findings with an independent scanner. Faster detection, fewer blind spots.

Synced every 15 minutes NVD/cvelistV5, OSV.dev, CISA KEV, and EPSS are refreshed on a 15-minute cadence.

Independent verification layer The scanner rechecks findings separately so missed detections in one source can still be caught.

EPSS-based prioritization Each finding is enriched with EPSS data so teams can focus on likely real-world exploitation, not just raw severity.

Automatic rescans and KEV cross-checks Production and staging versions are rescanned automatically, and findings are cross-referenced against the CISA KEV catalog.

Remediation tracking Five-stage lifecycle per vulnerability: start, fix, verify, release. Status tracking per affected version.

Suppression management Suppress false positives with justification, expiry dates, and approval workflows.

Reachability analysis Mark components as reachable or unreachable to prioritize what actually matters.

CSAF advisories Full advisory lifecycle: import, validate, publish. Draft to final with semantic diff. CRA Article 11 compliant.

Own Vulnerability Knowledge Base Five authoritative sources aggregated into a single local knowledge base: NVD/cvelistV5, OSV.dev, GitHub Security Advisories, CISA KEV, and EPSS. Synced every 15 minutes. Our vulnerability scanner runs as an independent verification layer for zero blind spots.

Automated VEX workflow and coverage tracking Triage decisions auto-generate draft VEX statements — suppressions, dismissals, and remediation status changes all feed the VEX bridge. Batch review and publish with one click. Export CycloneDX 1.6-compliant VEX per version. Track coverage percentage across all assessed vulnerabilities for a single audit-ready number.

Correlated vulnerability intelligence

15-minute sync

Source NVD / cvelistV5 Baseline CVE updates

Source OSV.dev Ecosystem-specific advisories

Source CISA KEV Known exploited vulnerabilities

Source EPSS Real-world exploit likelihood

Step 1 Aggregate and verify

Multiple intelligence feeds are correlated, then checked again through an independent scanner.

Step 2 Prioritize what matters

KEV and EPSS data surface the findings most likely to become real operational problems.

KEV matched EPSS prioritized

Output Verified findings move to action faster

Automatic rescans keep production and staging versions current while the workflow stays focused on active risk.

Technical Documentation

Annex VII packages, ready on demand

Article 13 requires 10 years of technical documentation. We generate the Annex VII packages, certificates, and compliance reports so market surveillance requests don't land cold.

Technical File Export

One ZIP with everything: machine-readable manifest (JSON), SBOMs (CycloneDX/SPDX), attestations, compliance checklist, and attribution reports. Human-readable and machine-readable, structured per Annex VII.

EU Declaration of Conformity

Generate EU DoC documents with proper formatting, versioning, and CE marking tracking.

Compliance Reports

PDF or HTML. Vulnerability summary, component inventory, quality scores, and remediation status in one report you can hand to auditors.

Security Data Sheet

Annex II security datasheet wizard. Draft it, validate it, publish it. Export as PDF, Markdown, or HTML.

Certificates

Certificate lifecycle: draft, issue, revoke. Immutable issued certificates with downloadable PDF generation.

Multi-language Documents

Generate documents in 8 languages: English, Spanish, German, French, Italian, Polish, Dutch, and Swedish.

Annex I Readiness

Score your product against all 20 essential cybersecurity requirements from CRA Annex I Part I. Track what you've met and what's missing.

Artifact Signing

Sigstore-based signing for SBOMs and artifacts. Keyless and key-based modes with signature verification for supply chain integrity.

Support Period Tracking

Define and track the mandatory minimum 5-year support period per CRA Article 13(5). Alerts when products approach end-of-support.

ENISA Notifications

Never miss an ENISA deadline

Article 14 has two reporting tracks with separate deadlines: vulnerabilities and severe incidents. We handle both with structured templates and countdown tracking.

24h

Early Warning

Initial vulnerability notification within 24 hours of discovery. CVE ID, affected products, and attack complexity assessment.

72h

Detailed Notification

Technical analysis with remediation timeline, workarounds, and expanded impact assessment within 72 hours.

14d

Final Report

Resolution confirmation with permanent fix details, deployment timeline, and lessons learned. 14 days for vulnerabilities, 30 days for incidents.

Deadline reminders Automatic alerts before each obligation expires

ENISA SRP ready Structured payloads for ENISA Single Reporting Platform. Day-one integration when API launches.

Submission history Full audit trail of all generated notifications and status tracking

Incident management Separate workflow for severe incidents (Art. 14(3)). 30-day final report vs. 14 days for vulnerabilities.

PDF reports & overdue alerts Early warning, detailed, and final report PDFs. Dashboard countdown when deadlines approach.

CSIRT coordination Simultaneous notification to ENISA and your national CSIRT per Article 14.

Hardware & Firmware

Built for Products With Hardware Components

Machines, embedded systems, and IoT devices need more than software SBOMs. CRA Evidence supports the full hardware product lifecycle.

HBOM tracking Hardware Bill of Materials with 15 component types including sensors, actuators, and microcontrollers.

Firmware SBOM analysis Upload an SBOM from your firmware or hardware components and automatically check all embedded software for known CVEs.

CE marking workflow Track conformity assessment with full audit trail. Generate EU Declarations of Conformity.

Physical labeling Digital Product Passports with QR codes for hardware products.

Learn more about CRA compliance for machinery manufacturers

Built for Every CRA Role

Manufacturer, Importer & Distributor Dashboards

The CRA puts different obligations on manufacturers (Art. 13), importers (Art. 19), and distributors (Art. 20). Each role gets its own workspace with the workflows that actually matter to them.

Product & Version Management

Products organized by CRA category: Default, Important Class I/Class II, Critical. Each version tracks its release state, environment, and retention tier.

Full Artifact Pipeline

Upload SBOM, HBOM, and VEX per version. Quality scoring and vulnerability scanning kick in automatically.

Vulnerability & Incident Management

CVE tracking, remediation workflows, ENISA notifications. The security dashboard ranks everything by EPSS score and flags CISA KEV entries.

Technical File Generation

Annex VII export packages everything into a ZIP: machine-readable SBOMs, compliance checklists, attribution reports, and conformity declarations. Ready for automated market surveillance audits.

Customer Notifications

Vulnerability notification system for downstream customers. Multi-language templates with distribution list management.

Trust Badges

Embeddable compliance trust badges for your product pages. Link to public verification of your CRA compliance status.

Conformity Assessment Tracking

Track your assessment route based on product category: self-assessment (Default), internal control (Important Class I), or third-party (Important Class II, Critical).

Digital Product Passports

Generate dynamic, publicly accessible Digital Product Passports for each version. QR codes, JSON-LD, and PDF export — multi-language and machine-readable.

Multi-Language Documents

Generate technical documentation, compliance reports, and Digital Product Passports in 8 EU languages: English, Spanish, German, French, Italian, Polish, Dutch, and Swedish.

Article 19 Verification Workflow

Step-by-step checklist covering what Article 19 requires: CE marking check, Annex II review, importer ID on product, EU DoC collected, final sign-off.

Manufacturer Registry

Keep track of your manufacturers: contacts, EU representatives, CVD/CSAF metadata. Set how often each one needs reverification.

Stop-Ship Decisions

Found a problem? Block the product. Record your justification, notify stakeholders, and report to the authority. Everything is tracked.

Reverification Triggers

New vulnerability found? Major update released? Review date coming up? You'll get an alert to reverify.

Clone Verifications

Reviewing a new version of the same product? Clone the previous verification. Checklist state and manufacturer data carry over.

Verification Dashboard

See where everything stands at a glance: how many products are verified, pending, blocked, or due for reverification.

Article 20 Due Care Checklist

Everything Article 20 asks for, in a checklist: product ID and traceability, CE marking, EU declaration, manufacturer contacts, anomaly detection.

CE Evidence Upload

Upload your CE marking evidence: photos, scans, certificates. File type and size checks are built in, and everything is audit-logged.

Verification Certificates

Generate PDF certificates proving due care compliance. Includes distributor details, scope, date, and unique verification number.

Stop-Ship Actions

Something's wrong? Stop distribution. The justification is recorded, and authorities and manufacturers are notified.

Portfolio View

See all your verifications in one place. Filter by status, product, or completion date to find what needs attention.

Compliance Progress

Visual progress bars per product. You can see at a glance how far along each verification is and what's left.

CI/CD & Automation

Fits into your build pipeline

There's a CLI and a REST API. Upload SBOMs, trigger scans, and gate releases from CI. Works with GitHub Actions, GitLab CI, or anything that can run a shell command.

CLI tool Upload SBOM/HBOM/VEX, scan, check status, manage releases, and compare versions from the terminal.

Severity fail thresholds Fail CI builds when critical or high vulnerabilities are detected. Configurable per pipeline.

Scoped API keys Fine-grained permissions: sbom:read, sbom:write, vuln:read, vuln:write, and more. Rate-limited and audited.

Webhooks Receive events for vulnerability discoveries, ENISA deadline warnings, and other compliance events.

Policy engine Policy-as-code rules for licenses, vulnerability thresholds, quality scores, and blocked components. Scope from global to per-version.

Release approval gates Configurable approval workflows before version releases. Manual gates and automated condition checks.

# Scan a Docker image and upload SBOM
$ docker run --rm \
-e CRA_EVIDENCE_API_KEY="cra_xxx" \
-v /var/run/docker.sock:/var/run/docker.sock \
craevidence/cli:latest \
upload-sbom \
--product my-app \
--version 2.1.0 \
--image my-app:2.1.0 \
--scan --fail-on high

Upload successful!

Product       my-app (created new)
Version       2.1.0 (created new)
Components    142
Quality Score 87%

Vulnerabilities
  Critical    0
  High        0
  Medium      3
  Low         1

GitHub Actions GitLab CI Jenkins Any CI

View full CI/CD integration guide

Integrations

Works with what you already use

Jira

Create issues for vulnerabilities directly

Slack

Real-time vulnerability and deadline alerts

GitHub

Security advisory sync and repo integration

Dependency-Track

Import SBOMs from existing instances

Microsoft Teams

Notifications in your Teams channels

ENISA Deadlines

Automated 24h, 72h, 14d/30d reminders

Supplier Portal

Customer-facing SBOM sharing with access control

Generic Webhook

Send events to any HTTP endpoint

Security & Trust

Built to be trusted with your compliance data

Access Control

Role-Based Access

Owner, Admin, Member, Viewer roles. Scoped API keys with fine-grained permissions.

SSO & MFA

SAML 2.0, Google & Microsoft OAuth, SCIM provisioning. TOTP multi-factor.

Data Protection

Encryption

AES-256 at rest, TLS 1.3 in transit. Argon2id password hashing.

Multi-Tenancy

Complete tenant isolation. Every query enforces organisation boundaries.

Observability

Audit Logging

Full traceability of all actions. Queryable audit trail with CSV export.

Rate Limiting

Sliding window rate limiting on login, API, and upload endpoints.

Compliance

Content Security

Strict CSP headers, CSRF protection, HTML sanitization, and HSTS.

10-Year Retention

Production data retained for 10 years per CRA Article 13. Tier-based retention.

Free Tools

Not sure if the CRA applies to you?

Figure out your obligations before signing up for anything. These tools are free and don't require an account.

CRA Applicability Checker 11-question wizard to determine if the Cyber Resilience Act applies to your product. Covers sector exemptions, connectivity requirements, and product classification.

CRA Role Quiz Find out whether you're a manufacturer, importer, or distributor under the CRA. Different roles have different obligations.

Shareable results Share your assessment results with colleagues or legal teams via unique URL. Available in all 8 European languages.

Try the CRA Applicability Checker Try Free CRA Quiz

No signup required. Takes about 2 minutes.

CRA Evidence Platform