Skip to content
Free & Open Source (MIT License)

CRA Readiness Assessment in 60 Seconds

cra-scanner is a free CLI tool that scans your project for CRA compliance readiness. It parses SBOMs, matches vulnerabilities against real databases, and scores your readiness across three dimensions.

$ pip install cra-scanner
View on PyPIGitHub Repository

What cra-scanner Checks

40
points

SBOM Quality

Auto-discovers CycloneDX and SPDX SBOMs in your repository. Scores based on presence, component count, version completeness, and package URL coverage.

30
points

Vulnerability Exposure

Matches every SBOM component against OSV.dev, GitHub Security Advisories, and CISA KEV. Ecosystem-aware version comparison (semver, PEP 440) eliminates false positives.

30
points

Security Practices

Checks for SECURITY.md, Dependabot/Renovate configuration, vulnerability disclosure policy, and documentation. These are CRA requirements under Annex I.

Real Vulnerability Data

cra-scanner queries real vulnerability databases for each component in your SBOM. No cached data, no synthetic scores.

Primary

OSV.dev

Precise purl and ecosystem matching for npm, PyPI, Maven, Go, Cargo, and more. Pre-resolved version ranges eliminate false positives.

Fallback

GitHub Security Advisories

Ecosystem-specific advisory lookups. Supplements OSV.dev coverage for packages not yet indexed.

Cross-reference

CISA KEV

Flags actively exploited vulnerabilities. These are the CVEs that trigger CRA Article 14 ENISA reporting obligations.

GitHub Action for CI/CD

Run CRA readiness checks on every push and pull request. Fail the build if the score drops below your threshold.

# .github/workflows/cra-check.yml
name: CRA Compliance Check
on: [push, pull_request]
jobs:
cra-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run CRA Scanner
uses: complaro/cra-scanner/action@main
with:
min-score: 40

CLI Usage

cra-scanner scan .Scan a project directory (auto-discovers SBOMs)
cra-scanner scan . --sbom bom.jsonScan with an explicit SBOM file
cra-scanner scan . --format json --output report.jsonOutput as JSON for programmatic use
cra-scanner scan . --min-score 50Fail if score is below threshold (CI/CD)
cra-scanner scan . --no-vuln-scanOffline mode — skip live vulnerability queries
cra-scanner scan . --github-token $GITHUB_TOKENIncrease API rate limits with a GitHub token

From Assessment to Remediation

cra-scanner tells you where you stand. Complaro helps you get where you need to be.

cra-scanner (free CLI)

  • One-time readiness assessment
  • SBOM parsing & analysis
  • Vulnerability scanning
  • CRA readiness score
  • CI/CD integration
  • Continuous monitoring
  • ENISA report generation
  • Multi-product dashboard

Complaro Platform

  • Everything in cra-scanner
  • Continuous vulnerability monitoring
  • ENISA Article 14 report generation
  • Multi-product dashboard
  • Product classification (Annex III/IV)
  • Team collaboration
  • PDF export for auditors
  • Real-time alerting
Try Complaro Free

Try It Online

Don't want to install anything? Scan any public GitHub repository right from our homepage.

Scan a Repository Online

Get Your CRA Readiness Score

Install cra-scanner and know where you stand in 60 seconds.

$ pip install cra-scanner && cra-scanner scan .
Install from PyPIView on GitHub