Open-source CRA scanner, check if the EU Cyber Resilience Act hits your software

github.com · complaro · 13 days ago · view on HN · tool
quality 7/10 · good
0 net
Tags
open-source cra-scanner eu-cyber-resilience-act
# cra-scanner Open source CLI tool for assessing EU Cyber Resilience Act (CRA) compliance readiness from SBOMs and project signals. [![PyPI version](https://badge.fury.io/py/cra-scanner.svg)](https://pypi.org/project/cra-scanner/) [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT) ## Installation ```bash pip install cra-scanner ``` ## Quick Start Scan a project directory: ```bash cra-scanner scan . ``` Scan with an explicit SBOM: ```bash cra-scanner scan . --sbom path/to/bom.json ``` Output as JSON: ```bash cra-scanner scan . --format json --output report.json ``` Fail if score is below a threshold (useful in CI/CD): ```bash cra-scanner scan . --min-score 50 ``` ## CRA Readiness Score The scanner returns a score from 0-100 based on: | Dimension | Points | What it checks | |-----------|--------|----------------| | **SBOM** | 40 | Presence, coverage, version completeness | | **Vulnerabilities** | 30 | Known vulnerability exposure (placeholder in v0.1) | | **Practices** | 30 | SECURITY.md, Dependabot, documentation | The score is a directional indicator, not legal advice. ## SBOM Format Support - CycloneDX JSON and XML - SPDX JSON and tag-value SBOMs are auto-discovered in your project directory, or you can specify one with `--sbom`. ## GitHub Action Use cra-scanner in your CI/CD pipeline: ```yaml name: CRA Compliance Check on: [push, pull_request] jobs: cra-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run CRA Scanner uses: complaro/cra-scanner/action@main with: min-score: 40 ``` See [action/README.md](action/README.md) for full documentation. ## Roadmap - [ ] Vulnerability matching against NVD, OSV.dev, and CISA KEV - [ ] Version range comparison (semver, PEP 440, CPE) - [ ] SARIF output for GitHub/GitLab code scanning - [ ] CycloneDX VEX output - [ ] Auto-SBOM generation from package managers ## License MIT - see [LICENSE](LICENSE) ## Links - [PyPI](https://pypi.org/project/cra-scanner/) - [Complaro](https://www.complaro.com/) - [EU Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)
← Back to stories