This document is under active development and has not been finalised.
CRA Compliance

English

Deutsch
简体中文

English

Deutsch
简体中文

Appearance

9.1 Tooling Map

Tool → CRA Compliance Matrix

This mapping shows which tool covers which CRA requirements.

GitHub Ecosystem

Dependabot

CRA RequirementCoverage
Art. 10(6) – Identify vulnerabilitiesAutomatic CVE alerts for dependencies
Art. 10(7) – Security updatesAutomatic PRs when updates are available
Annex I, Part II, No. 2 – Remediation without undue delayAuto-Merge for patch updates
Annex I, Part II, No. 5 – Monitor third-party componentsContinuous dependency monitoring

GitHub Security Advisories

CRA RequirementCoverage
Art. 10(9) – Coordinated disclosurePrivate advisory, CVE assignment
Art. 14(8) – User notificationPublic advisory with recommended actions
Annex I, Part II, No. 4 – Disclosure of remediated CVEsPublish security advisory

GitHub Actions (Automation Templates)

WorkflowCRA RequirementFunction
automatic-release.ymlArt. 10(7)Automated release pipeline
modules-security-scan.ymlArt. 10(6)Multi-Engine Security Scanning
modules-license-compliance.ymlArt. 10(4), Art. 13(23)License check + SBOM
docker-build.ymlArt. 10(12)Image build + signing
docker-maintenance-dependabot.ymlAnnex I, Part II, No. 2Auto-Merge dependency updates
modules-docker-base-image-monitor.ymlAnnex I, Part II, No. 5Base image update
security-management.ymlArt. 13(8)SECURITY.md auto-generation
teams-notifications.ymlArt. 14 (supporting)Incident communication

Security Scanning

Trivy (Aqua Security)

CRA RequirementCoverage
Art. 10(6)Container image vulnerability scanning
Art. 10(8)Detection of known exploitable vulnerabilities
Art. 13(23)SBOM generation (CycloneDX, SPDX)
Annex I, Part II, No. 1Component detection for SBOM
Annex I, Part II, No. 3Regular security testing (CI/CD)

Grype (Anchore)

CRA RequirementCoverage
Art. 10(6)Vulnerability scanning (complementary to Trivy)
Annex I, Part II, No. 1CVE matching against SBOM

OSV-Scanner (Google)

CRA RequirementCoverage
Art. 10(6)OSV database-based vulnerability scanning
Art. 10(8)Detection of known vulnerabilities (aggregates NVD, GitHub, PyPI, npm, Go etc.)
Annex I, Part II, No. 2CVE matching against lockfiles and SBOMs

Snyk

CRA RequirementCoverage
Art. 10(6)Application security scanning
Annex I, Part II, No. 3Code-level vulnerability detection

Gitleaks + GitGuardian

CRA RequirementCoverage
Art. 10(1)Prevention of secret exposure
Annex I, Part I, No. 5Protection against unauthorised access (secrets)

SBOM & Compliance

Syft (Anchore)

CRA RequirementCoverage
Art. 13(23)SBOM generation (CycloneDX JSON)
Annex I, Part II, No. 1Component detection and documentation
Annex VII No. 1Product description (dependencies)

FOSSA / License Compliance

CRA RequirementCoverage
Art. 10(4)Due diligence for third-party components (licences)
Annex I, Part II, No. 1Licence inventory as part of the SBOM

Signing & Integrity

Cosign (Sigstore)

CRA RequirementCoverage
Art. 10(12)Integrity protection of updates
Annex I, Part I, No. 3.2Integrity protection (data/artefacts)
Annex I, Part II, No. 6Secure provision of updates

CRA Compliance Workflows (this repository)

In addition to the automation templates, this repository provides dedicated CRA workflows that can be reused in every source code repository.

Composite Actions

ActionCRA RequirementFunction
cra-sbom-generateArt. 13(23)Generate CycloneDX SBOM (Trivy, auto-detect)
cra-sbom-signArt. 10(12)Sign SBOM (Cosign, keyless OIDC)
cra-vulnerability-scanArt. 10(6), (8)Multi-engine vulnerability scan (Trivy + Grype + OSV-Scanner)
cra-hub-reportArt. 10, Art. 13Send compliance data to Software Security Hub API

Reusable Workflows

WorkflowTypeCRA RequirementFunction
cra-release.ymlRepo-localArt. 10(12), Art. 13(23)SBOM + signature + scan as release assets
cra-scan.ymlRepo-localArt. 10(6), (8)Scheduled CVE scan with issue creation
cra-report.ymlAPI reportingArt. 10, Art. 13, Annex VIIAll CRA data to CRA Compliance Hub

Planned Extensions

Tool / WorkflowCRA RequirementStatus
CodeQL (SAST)Annex I, Part II, No. 3🔧 Optional
CRA Compliance Hub (web app)Central evaluation🔧 Planned

Summary: CRA Coverage through Tooling 

                         CRA Requirement
                    ┌─────────────────────────┐
                    │  Art. 10 (Manufacturer)   │
                    │  ├── (1) Security         │──→ Trivy, Gitleaks, Code Review
                    │  ├── (2) Risk             │──→ Manual + Template
                    │  ├── (4) 3rd Party        │──→ FOSSA, License Compliance
                    │  ├── (6) Vulnerabilities  │──→ CVE-Monitor, Dependabot
                    │  ├── (7) Updates          │──→ Dependabot, CI/CD
                    │  ├── (8) No CVEs          │──→ CVE-Monitor, Trivy
                    │  ├── (9) CVD              │──→ GitHub Advisories
                    │  ├── (12) Integrity       │──→ Cosign
                    │  └── (16) Support         │──→ SECURITY.md
                    ├─────────────────────────┤
                    │  Art. 13 (Information)     │
                    │  ├── (6) CVD Policy        │──→ SECURITY.md
                    │  └── (23) SBOM            │──→ Trivy/Syft
                    ├─────────────────────────┤
                    │  Art. 14 (Reporting)       │
                    │  ├── 24h Early Warning     │──→ ENISA SRP + Teams
                    │  ├── 72h Notification      │──→ ENISA SRP
                    │  └── User Info            │──→ GitHub Advisory
                    └─────────────────────────┘

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.