Skip to main content

CLI tool for CI/CD integration with CRA Evidence

Project description

CRA Evidence CLI

CI License: MIT Python 3.12+ Docker pulls

Command-line tools for CRA Evidence workflows and local software supply-chain checks.

craevidence check scans an SBOM and gates CI on known-exploited vulnerabilities

The CLI has two modes:

  • Local commands that run without a CRA Evidence account or API key.
  • Account commands that upload evidence or read release state from CRA Evidence.

This page covers the public command basics. The full reference lives in docs/. Registered CRA Evidence users can also sign in to view the command documentation at https://docs.craevidence.com/cli.

The local checks are review aids and CI gates. They are not an audit, and exit 0 does not prove compliance.

Install

pip install craevidence
pipx install craevidence

pipx is a good fit for command-line tools because it installs the package in an isolated environment.

The installed command is:

craevidence --help

Python 3.12 or newer is required. Docker images and other install options are covered in the installation guide.

Documentation

Page Contents
Local commands check, eol-check, egress-check, secrets-check, config-check, draft, assessment, db, and the offline template scaffold.
Account commands Uploads, scan, status, release lifecycle, distributor, profiles, validation, and verification.
CI/CD integration GitHub Action, GitLab Component, Docker, Jenkins, OpenSSF Scorecard, and complyctl.
Installation PyPI, Docker, container registries, and from source.
Troubleshooting Common errors and fixes.

Local Check

craevidence check scans a directory, container image, or existing SBOM and reports known vulnerability signals that can block CI when a threshold is met. It does not require an account and does not upload your project to CRA Evidence.

craevidence check .
craevidence check --image ghcr.io/acme/app:1.4.2
craevidence check --sbom sbom.cdx.json
craevidence check . --fail-on known-exploited

By default, check uses network data sources. It uses Grype when installed and working, falls back to OSV.dev when Grype is absent or fails, and consults CISA KEV plus FIRST EPSS for enrichment. For a network-restricted run, provide an SBOM with --sbom and run where Grype has a local database; CISA KEV and FIRST EPSS enrichment are reported as unavailable if they cannot be reached.

Verbose output includes a section named What this local snapshot cannot tell you. The JSON output keeps the same review context in machine-readable form.

Free Commands

These commands do not need CRA_EVIDENCE_API_KEY:

Command Purpose
check Scan a directory, image, or SBOM and gate CI with --fail-on.
eol-check Flag end-of-life and support status from local SBOM components.
egress-check Inventory external interfaces and data-egress indicators.
secrets-check Scan the working tree for candidate hard-coded secrets.
config-check Audit Dockerfile, Terraform, and Kubernetes files for insecure defaults.
draft Scaffold VEX, security.txt, advisory, risk-assessment, and threat-model drafts for review.
compliance-as-code template --offline Create starter YAML from local input without an API key.
assessment Scaffold an Annex I applicability matrix and gate CI on structured gaps.
db update / db status Manage and inspect the local Grype vulnerability database cache.

CI Examples

GitHub Actions:

jobs:
  cra-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pipx install craevidence
      - run: craevidence check . --fail-on known-exploited

GitLab CI:

cra-check:
  image: python:3.12-slim
  script:
    - pip install craevidence
    - craevidence check . --fail-on known-exploited

Account Commands

Commands that upload evidence or read CRA Evidence release state need an API key:

export CRA_EVIDENCE_API_KEY=...
craevidence upload-sbom --product my-product --version 1.0.0 --file sbom.cdx.json
craevidence status --product my-product --version 1.0.0

The default API URL is:

https://api.craevidence.com

You can override it with:

export CRA_EVIDENCE_URL=https://api.craevidence.com

Environment Variables

Variable Purpose
CRA_EVIDENCE_API_KEY API key for account commands.
CRA_EVIDENCE_URL CRA Evidence API URL. Defaults to https://api.craevidence.com.
CRA_EVIDENCE_ORG Default organization slug.
CRA_EVIDENCE_PRODUCT Default product slug for upload commands.
CRA_EVIDENCE_VERSION Default product version for upload commands.
CRA_EVIDENCE_COMPONENT Default component slug for component-aware uploads.
CRA_EVIDENCE_COMPONENT_VERSION Default component release version.
CRA_EVIDENCE_TIMEOUT HTTP request timeout in seconds for account commands. Defaults to 60.
CRA_NO_WARN Set to any value to suppress API URL configuration warnings.

Credentials can also be stored in ~/.cra-evidence/config.yaml. Keep that file private, for example with chmod 600 ~/.cra-evidence/config.yaml.

Exit Codes

Code Meaning
0 Success. For local gates, no configured blocking finding was present in this local snapshot.
1 General error.
2 Authentication error.
3 API error.
4 Validation error.
5 File not found.
6 Configuration error.
7 security.txt validation failed.
10 Critical vulnerabilities found.
11 High vulnerabilities found.
12 Medium vulnerabilities found.
13 Low vulnerabilities found.
14 SBOM quality score below the configured threshold.
15 Local scan engine unavailable.
16 License policy threshold exceeded.
17 Known-exploited vulnerabilities found.
18 Candidate secrets found.
19 Insecure-default config findings found.
20 CRA status is not ready when a status gate is enabled.
21 Structured evidence mapping was required but was not populated.
22 SBOM signature trust was required but verification was not trusted.
23 SBOM signing failed or no Sigstore OIDC identity was available.
24 CRA legal floor is met but the configured release policy is not.
25 Mandatory Annex I requirement is not addressed.
26 Annex I Part I(2) requirement is marked not-applicable without a justification.

Exit 0 != compliance. Local output is a snapshot for review and CI policy, not a legal conclusion.

Data Sources

Source Use
FIRST EPSS Exploit-probability enrichment.
CISA KEV Known-exploited vulnerability enrichment.
OSV.dev Open source vulnerability data when the OSV path is used.
Anchore Grype Local vulnerability matching when installed.
Anchore Syft SBOM generation from directories and images when installed or included in the Docker image.
endoflife.date End-of-life and support-cycle data for eol-check.

Support

License

MIT License. See the package license file for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

craevidence-3.6.0.tar.gz (284.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

craevidence-3.6.0-py3-none-any.whl (228.8 kB view details)

Uploaded Python 3

File details

Details for the file craevidence-3.6.0.tar.gz.

File metadata

  • Download URL: craevidence-3.6.0.tar.gz
  • Upload date:
  • Size: 284.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for craevidence-3.6.0.tar.gz
Algorithm Hash digest
SHA256 6f0b583a249f549d914b5d255bd5330e7ffd08faccba8be3ab90afd0f37bbd27
MD5 af90e47e721f414dd4942a8f297b60d4
BLAKE2b-256 f16949d6d17c92da5a78ed739c850f839c70455cef0976cbf52cf3555bf6be63

See more details on using hashes here.

Provenance

The following attestation bundles were made for craevidence-3.6.0.tar.gz:

Publisher: ci.yml on craevidence/cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file craevidence-3.6.0-py3-none-any.whl.

File metadata

  • Download URL: craevidence-3.6.0-py3-none-any.whl
  • Upload date:
  • Size: 228.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for craevidence-3.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b1713c361e0d0c20ca6488bda3ba7eee2e634209472abcaa588dda54242cbc07
MD5 94c04f64255c7ed4d6078a52c01a954b
BLAKE2b-256 8e65d263c39e9b22159a027a2862993c4b90182e4907a348e6c3858930b8d0a3

See more details on using hashes here.

Provenance

The following attestation bundles were made for craevidence-3.6.0-py3-none-any.whl:

Publisher: ci.yml on craevidence/cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page