Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.
Project description
cra-scanner
Open source CLI tool for assessing EU Cyber Resilience Act (CRA) compliance readiness from SBOMs and project signals.
Installation
pip install cra-scanner
Quick Start
Scan a project directory:
cra-scanner scan .
Scan with an explicit SBOM:
cra-scanner scan . --sbom path/to/bom.json
Output as JSON:
cra-scanner scan . --format json --output report.json
Fail if score is below a threshold (useful in CI/CD):
cra-scanner scan . --min-score 50
CRA Readiness Score
The scanner returns a score from 0-100 based on:
| Dimension | Points | What it checks |
|---|---|---|
| SBOM | 40 | Presence, coverage, version completeness |
| Vulnerabilities | 30 | Known vulnerability exposure (placeholder in v0.1) |
| Practices | 30 | SECURITY.md, Dependabot, documentation |
The score is a directional indicator, not legal advice.
SBOM Format Support
- CycloneDX JSON and XML
- SPDX JSON and tag-value
SBOMs are auto-discovered in your project directory, or you can specify one with --sbom.
GitHub Action
Use cra-scanner in your CI/CD pipeline:
name: CRA Compliance Check
on: [push, pull_request]
jobs:
cra-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run CRA Scanner
uses: complaro/cra-scanner/action@main
with:
min-score: 40
See action/README.md for full documentation.
Roadmap
- Vulnerability matching against NVD, OSV.dev, and CISA KEV
- Version range comparison (semver, PEP 440, CPE)
- SARIF output for GitHub/GitLab code scanning
- CycloneDX VEX output
- Auto-SBOM generation from package managers
License
MIT - see LICENSE
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cra_scanner-0.2.0.tar.gz.
File metadata
- Download URL: cra_scanner-0.2.0.tar.gz
- Upload date:
- Size: 8.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
beabe14375e1759fd2fdb3c548886a390bbad54023a912e1af59fdb0bedd72c0
|
|
| MD5 |
996e06ab1c70edaeccf363255d7926db
|
|
| BLAKE2b-256 |
ee6b6eb6064a9c6329e5a9c6dfcd3e5bcbac71f8748c456cdbd0c8a4cc4addac
|
File details
Details for the file cra_scanner-0.2.0-py3-none-any.whl.
File metadata
- Download URL: cra_scanner-0.2.0-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
11dfc3ab9f5c4038fa76fe1f37f18e16b6dc3404619313f138870d7cc467ecd9
|
|
| MD5 |
f96d40e026549543cd996509e00ff6bf
|
|
| BLAKE2b-256 |
8003d7638c17a658083855ccea1ca3ff8f3169d51d82c6880641cc55f9528121
|
