cra-scanner 0.3.0

Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.

cra-scanner

Open source CLI tool for assessing EU Cyber Resilience Act (CRA) compliance readiness from SBOMs and project signals.

cra-scanner is developed by Complaro, an open source CRA compliance platform. The CLI is fully functional as a standalone tool under the MIT license. Complaro offers a hosted platform for teams that need continuous monitoring, ENISA reporting, and collaboration features.

Installation

pip install cra-scanner

Quick Start

Scan a project directory:

cra-scanner scan .

Scan with an explicit SBOM:

cra-scanner scan . --sbom path/to/bom.json

Output as JSON:

cra-scanner scan . --format json --output report.json

Fail if score is below a threshold (useful in CI/CD):

cra-scanner scan . --min-score 50

Disable live vulnerability scanning (offline/fast mode):

cra-scanner scan . --no-vuln-scan

Provide a GitHub token for higher advisory API rate limits:

cra-scanner scan . --github-token $GITHUB_TOKEN

CRA Readiness Score

The scanner returns a score from 0-100 based on:

Dimension	Points	What it checks
SBOM	40	Presence, coverage, version completeness
Vulnerabilities	30	Known vulnerability exposure via OSV.dev, GitHub Advisories, CISA KEV
Practices	30	SECURITY.md, Dependabot, documentation

The score is a directional indicator, not legal advice.

Vulnerability Scanning

cra-scanner queries real vulnerability databases for each component in your SBOM:

• OSV.dev (primary) — precise purl and ecosystem matching for npm, PyPI, Maven, Go, Cargo, and more
• GitHub Advisory Database (fallback) — ecosystem-specific advisory lookups
• CISA KEV (cross-reference) — flags actively exploited vulnerabilities that may trigger CRA 24-hour reporting obligations

Version range matching uses ecosystem-aware comparison:

• Semver for npm, Cargo, Go
• PEP 440 for Python/PyPI
• Explicit version lists when provided by the advisory

Each finding includes a confidence tier (high/medium/low) based on match precision.

SBOM Format Support

• CycloneDX JSON and XML
• SPDX JSON and tag-value

SBOMs are auto-discovered in your project directory, or you can specify one with --sbom.

GitHub Action

Use cra-scanner in your CI/CD pipeline:

name: CRA Compliance Check
on: [push, pull_request]

jobs:
  cra-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run CRA Scanner
        uses: complaro/cra-scanner/action@main
        with:
          min-score: 40

See action/README.md for full documentation.

Roadmap

• SBOM parsing (CycloneDX, SPDX)
• CRA readiness scoring
• Vulnerability matching against OSV.dev, GitHub Advisories, CISA KEV
• Version range comparison (semver, PEP 440)
• GitHub Action for CI/CD
• SARIF output for GitHub/GitLab code scanning
• CycloneDX VEX output
• Auto-SBOM generation from package managers
• CPE matching for NVD lookups

Complaro Platform

cra-scanner is a free, open source tool that runs locally. For teams managing multiple products, Complaro provides:

• Continuous vulnerability monitoring across all products
• ENISA report generation (24h, 72h, 14-day)
• Slack and Jira integrations
• CRA classification wizard
• Team collaboration and audit trail

Free for 1 product at complaro.com.

License

MIT - see LICENSE

Links

• PyPI
• Complaro
• EU Cyber Resilience Act