This document is under active development and has not been finalised.
Skip to content

8.1 Tooling Map

8.1.1 Tool → CRA Compliance Matrix

This mapping shows which tool covers which CRA requirements.

8.1.2 GitHub Ecosystem

Dependabot

CRA RequirementCoverage
Annex I Part II (1) – Identify vulnerabilitiesAutomatic CVE alerts for dependencies
Annex I Part II (2) – Security updatesAutomatic PRs when updates are available
Annex I, Part II, No. 2 – Remediation without undue delayAuto-Merge for patch updates
Annex I, Part II, No. 5 – Monitor third-party componentsContinuous dependency monitoring

GitHub Security Advisories

CRA RequirementCoverage
Annex I Part II (5) – Coordinated disclosurePrivate advisory, CVE assignment
Art. 14(8) – User notificationPublic advisory with recommended actions
Annex I, Part II, No. 4 – Disclosure of remediated CVEsPublish security advisory

GitHub Actions (Automation Templates)

WorkflowCRA RequirementFunction
automatic-release.ymlAnnex I Part II (2)Automated release pipeline
modules-security-scan.ymlAnnex I Part II (1)Multi-Engine Security Scanning
modules-license-compliance.ymlArt. 13(5), Annex I Part II (1)License check + SBOM
docker-build.ymlAnnex I Part II (7)Image build + signing
docker-maintenance-dependabot.ymlAnnex I, Part II, No. 2Auto-Merge dependency updates
modules-docker-base-image-monitor.ymlAnnex I, Part II, No. 5Base image update
security-management.ymlArt. 13(8)SECURITY.md auto-generation
teams-notifications.ymlArt. 14 (supporting)Incident communication

8.1.3 Security Scanning

Trivy (Aqua Security)

CRA RequirementCoverage
Annex I Part II (1)Container image vulnerability scanning
Annex I Part I (2)(a)Detection of known exploitable vulnerabilities
Annex I Part II (1)SBOM generation (CycloneDX, SPDX)
Annex I, Part II, No. 1Component detection for SBOM
Annex I, Part II, No. 3Regular security testing (CI/CD)

Grype (Anchore)

CRA RequirementCoverage
Annex I Part II (1)Vulnerability scanning (complementary to Trivy)
Annex I, Part II, No. 1CVE matching against SBOM

OSV-Scanner (Google)

CRA RequirementCoverage
Annex I Part II (1)OSV database-based vulnerability scanning
Annex I Part I (2)(a)Detection of known vulnerabilities (aggregates NVD, GitHub, PyPI, npm, Go etc.)
Annex I, Part II, No. 2CVE matching against lockfiles and SBOMs

Snyk

CRA RequirementCoverage
Annex I Part II (1)Application security scanning
Annex I, Part II, No. 3Code-level vulnerability detection

Gitleaks + GitGuardian

CRA RequirementCoverage
Art. 13(1)Prevention of secret exposure
Annex I, Part I, No. 5Protection against unauthorised access (secrets)

8.1.4 SBOM & Compliance

Syft (Anchore)

CRA RequirementCoverage
Annex I Part II (1)SBOM generation (CycloneDX JSON)
Annex I, Part II, No. 1Component detection and documentation
Annex VII No. 1Product description (dependencies)

FOSSA / License Compliance

CRA RequirementCoverage
Art. 13(5)Due diligence for third-party components (licences)
Annex I, Part II, No. 1Licence inventory as part of the SBOM

8.1.5 Signing, Attestation & Integrity

Cosign (Sigstore)

CRA RequirementCoverage
Annex I Part II (7)Integrity protection of updates
Annex I, Part I, No. 3.2Integrity protection (data/artefacts)
Annex I, Part II, No. 6Secure provision of updates

GitHub Attestation (Sigstore via GitHub)

CRA RequirementCoverage
Annex I Part II (7)Cryptographic provenance of SBOM
Annex I, Part I, No. 3.2Verifiable build-time integrity

Belt + Suspenders

Both Cosign (portable) and GitHub Attestation (native) are used simultaneously. Cosign works outside GitHub; Attestation is verifiable via gh attestation verify.

8.1.6 CRA Compliance Workflows (this repository)

In addition to the automation templates, this repository provides dedicated CRA workflows that can be reused in every source code repository. See 8.2 Automation Workflows for detailed usage.

Composite Actions (CRA-specific)

ActionCRA RequirementFunction
cra-sbom-generateAnnex I Part II (1)Generate CycloneDX SBOM (Trivy, auto-detect)
cra-sbom-signAnnex I Part II (7)Sign SBOM (Cosign, keyless OIDC)
cra-vulnerability-scanAnnex I Part II (1), Annex I Part I (2)(a)Multi-engine vulnerability scan (Trivy + Grype + OSV-Scanner)
cra-hub-reportArt. 13Send compliance data to Software Security Hub API
cra-compliance-reportAnnex VIIGenerate JSON + Markdown compliance report with scoring
cra-eu-docArt. 28, Annex VGenerate machine-readable EU Declaration of Conformity (JSON)
cra-renderAnnex V, Annex VIIRender JSON artifacts to PDF (EU DoC, Compliance Report)

Composite Actions (Generic, in automation-templates)

ActionCRA RequirementFunction
vex-generateAnnex I, Part II, No. 2Generate OpenVEX document from scan results + manual triage
sbom-attestAnnex I Part II (7)Create GitHub-native SBOM attestation

Reusable Workflows

WorkflowTypeCRA RequirementFunction
cra-release.ymlRepo-localAnnex I Part II (7), Annex I Part II (1), Annex VIISBOM + signature + attestation + VEX + compliance report
cra-scan.ymlRepo-localAnnex I Part II (1), Annex I Part I (2)(a)Scheduled CVE scan with issue creation
cra-report.ymlAPI reportingArt. 13, Annex VIIAll CRA data to CRA Compliance Hub
cra-onboard.ymlRepo-localArt. 13, Art. 13(6)One-click CRA enrollment for any repository
cra-audit.ymlRepo-localAnnex I, Annex VIIWeekly compliance audit with issue creation
cra-incident.ymlRepo-localArt. 14Incident response trigger with ENISA deadline calculation

CLI Tool

ToolCRA RequirementFunction
cra-checkAnnex VIILocal/remote compliance verification with scoring

8.1.7 Planned Extensions

Tool / WorkflowCRA RequirementStatus
CodeQL (SAST)Annex I, Part II, No. 3🔧 Optional

8.1.8 Summary: CRA Coverage through Tooling

                         CRA Requirement
                    ┌─────────────────────────┐
                    │  Art. 13 (Manufacturer)   │
                    │  ├── (1) Security         │──→ Trivy, Gitleaks, Code Review
                    │  ├── (2) Risk             │──→ Manual + Template
                    │  ├── (4) 3rd Party        │──→ FOSSA, License Compliance
                    │  ├── (6) Vulnerabilities  │──→ CVE-Monitor, Dependabot
                    │  ├── (7) Updates          │──→ Dependabot, CI/CD
                    │  ├── (8) No CVEs          │──→ CVE-Monitor, Trivy
                    │  ├── (9) CVD              │──→ GitHub Advisories
                    │  ├── (12) Integrity       │──→ Cosign + Attestation
                    │  └── (16) Support         │──→ SECURITY.md
                    ├─────────────────────────┤
                    │  Art. 13 (Information)     │
                    │  ├── (6) CVD Policy        │──→ SECURITY.md
                    │  └── (23) SBOM            │──→ Trivy/Syft
                    ├─────────────────────────┤
                    │  Art. 14 (Reporting)       │
                    │  ├── 24h Early Warning     │──→ ENISA SRP + Teams
                    │  ├── 72h Notification      │──→ ENISA SRP
                    │  └── User Info            │──→ GitHub Advisory
                    └─────────────────────────┘

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT