Cra Readiness Auditor

Audit Your Software for EU CRA Compliance

The Cyber Resilience Act (CRA) introduces strict cybersecurity requirements for software products in the EU market, starting September 2026. This skill automates the complex task of auditing your repository against these specific legal obligations, saving developers and legal teams weeks of manual mapping.

What it does

This skill performs a comprehensive scan of your repository to extract dependency data, security policies, and update mechanisms. It then generates the exact artifacts required for CRA compliance:

• CycloneDX SBOM: An industry-standard software bill of materials (v1.5).
• Readiness Report: A detailed audit mapping your repo to specific CRA articles and essential requirements.
• Compliance Templates: Ready-to-use vulnerability disclosure policies (SECURITY.md) and incident response runbooks mapped to ENISA's 24-hour reporting duty.
• Technical Documentation: A structured skeleton for the required CRA technical dossiers.

Why use this skill?

Unlike generic vulnerability scanners, this tool is specifically tuned to the legal text of the Cyber Resilience Act. It doesn't just find bugs; it identifies gaps in your compliance framework—such as missing incident notification paths or insufficient update documentation—that carry significant regulatory risk.

Supported Environments

The auditor supports all major package managers including npm, pip/poetry, go-mod, and cargo. It operates entirely locally for privacy, with an optional path for online vulnerability enrichment.