$
crawin generate --src ./apps/thermostat --format cyclonedx
›
reading manifests: package.json, requirements.txt, Cargo.lock
›
resolving 247 components across 3 ecosystems (npm · pypi · cargo)
›
enriching with CVE feeds: NVD · OSV · ENISA EUVD
✓
sbom.cdx.json written · 247 components · 0 unresolved · 14 CVE matches
›
uploading to crawin.eu/org/forge-labs/forge-thermostat
⌬
signed with cosign · attestation OCID c0ffee…3a91
$
Regulation EU 2024/2847 EU Cyber Resilience Act Generate, manage,
Generate, manage,
and ship SBOMs
in one CI run.
crawin produces CycloneDX and SPDX bills of materials directly from your pipeline, watches every component for new CVEs, and files ENISA-ready vulnerability reports when something breaks. Built for the EU CRA deadline that compliance and engineering both stop pretending isn't real.
Mandatory vulnerability reporting to ENISA in
— days
: — hours
: — minutes
: — seconds
· CRA Article 14, ENISA notification (24 hours) · Penalty ceiling: €15M or 2.5% global turnover
Built to satisfy
- EU CRA Cyber Resilience Act Reg. 2024/2847
- NIS2 Network & Info Security Directive Dir. (EU) 2022/2555
- EO 14028 US Federal Procurement Sec. 4
- NTIA Minimum SBOM Elements July 2021
- FDA Premarket Cybersecurity Sec. 524B
Outputs
CycloneDX 1.6SPDX 3.0
GitHub ActionsGitLab CIBitbucket PipelinesJenkinsany container build
A real SBOM, not a screenshot of one
Run one command. Get the artifact your auditor and your CI both speak.
Below is the actual output of crawin generate on a Forge Labs IoT firmware build, and the CycloneDX 1.6 JSON it produces. The file is signed, uploaded to your Trust Center, and indexed against ENISA EUVD before the next pipeline stage runs.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid: 6cfa1d20-…",
"version": 1,
"metadata": {
"timestamp": "2026-06-02T08: 14: 33Z",
"component": {
"type": "firmware",
"name": "forge-thermostat",
"version": "2.4.1",
"supplier": { "name": "Forge Labs GmbH" },
"licenses": [{ "license": { "id": "Apache-2.0" } }]
},
"tools": [{ "name": "crawin", "version": "1.4.0" }]
},
"components": [
{
"type": "library",
"name": "openssl",
"version": "3.2.1",
"purl": "pkg:generic/openssl@3.2.1",
"supplier": { "name": "The OpenSSL Project" }
},
{
"type": "library",
"name": "lodash",
"version": "4.17.21",
"purl": "pkg:npm/lodash@4.17.21",
"licenses": [{ "license": { "id": "MIT" } }]
},
{
"type": "library",
"name": "requests",
"version": "2.31.0",
"purl": "pkg:pypi/requests@2.31.0"
}
],
"vulnerabilities": [
{
"id": "CVE-2024-6387",
"source": { "name": "NVD" },
"ratings": [{ "severity": "high", "score": 8.1 }],
"affects": [{ "ref": "pkg:generic/openssh@9.2" }]
}
]
}Two buyers, one page
Compliance signs the contract. Engineering ships the SBOM. Both leave happy.
Most SBOM tools force a side. Crawin doesn't. The same workspace serves the auditor's PDF and the developer's pipeline — without one team having to translate for the other.
Evidence packs your auditor can read without your help.
Every product gets a Trust Center page: SBOMs, vulnerability history, ENISA notifications, conformity attestations, the dates everything happened. Filter by regulation, export a sealed PDF, hand it to the auditor.
- CRA Article 14 24-hour vulnerability notice — pre-filled, time-stamped.
- SBOM version history per release, diffed.
- Per-product CRA conformity status (red / amber / green) with the reason.
- Per-auditor access links, time-limited, watermarked.
- SBOM generated sha256:6cfa1d…
- Signed (cosign) attestation
- CVE-2024-6387 matched NVD · high
- ENISA notification drafted CRA Art. 14
One CI step. No new platform team.
Drop the GitHub Action (or GitLab include, or shell one-liner) into the pipeline you already have. Crawin reads your manifests, your container layers, your build outputs. Stays out of the way until something needs attention.
- CycloneDX 1.6 + SPDX 3.0 out of the box. Pick one or both.
- Container, language, and OS-level resolvers. Polyglot repos welcome.
- Webhook events, REST + GraphQL API, OpenAPI 3.1 spec.
- Self-host on your own cluster — same binary, same features.
name: SBOM
on:
push:
tags: ['v*']
jobs:
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: crawin/action@v1
with:
source: .
format: cyclonedx
upload: true
fail-on: cvss>=7Three steps. Real sequence.
From git push to ENISA-ready in one pipeline run.
These are numbered because the order matters: each step depends on the previous one's output. If a section of a SaaS homepage tells you "1, 2, 3" but the steps could run in any order, it's decoration. This one isn't.
-
Connect a repository or upload a build
Install the GitHub / GitLab / Bitbucket app, or run the binary against a local build output. Crawin reads your manifests, container layers, and lock files in any of 14 languages.
Source reposContainer registriesBinary uploadsBuild artifacts
-
Generate the SBOM as part of the CI run that ships the build
The SBOM is part of the release, not a separate artifact someone has to remember to file. CycloneDX 1.6 and SPDX 3.0 produced from the same scan, signed with cosign, attested with SLSA L3.
CycloneDX 1.6SPDX 3.0cosign signedSLSA L3
-
Share via Trust Center or hand-deliver to ENISA
Customers and auditors see a public or scoped Trust Center page. New CVEs in your components trigger ENISA-ready Article 14 notifications, drafted with the 24-hour and 72-hour content the regulation requires.
Trust Center URLENISA Art. 14 noticeAuditor evidence packVulnerability webhook
The product, not a marketing screenshot
One dashboard. Every product. CRA status in plain English.
This is the actual workspace view your compliance lead and your release manager both open in the morning. Each row is a product you ship; the status pill is the one your auditor will ask about.
Product SBOM Open CVEs CRA status ENISA Coverage
forge-thermostat 2 hours ago 2 high 5 med 7 low Action required CVE-2024-6387 · 18h to deadline 78%
forge-gateway 6 hours ago 1 med 4 low CRA-ready — 96%
forge-dashboard 11 days ago 4 high 12 med 23 low SBOM stale No active reports 41%
forge-mobile 12 minutes ago 2 low CRA-ready — 100%
CRA Article 14 · 24-hour notice
When a CVE matches your SBOM, the ENISA notice is already drafted.
The hardest part of the CRA isn't the 24-hour window. It's knowing which fields to fill, in which format, with which evidence. Crawin pre-populates the entire ENISA notification from your SBOM and the CVE feed, then asks you to confirm two questions a human still has to answer.
European Union Agency for Cybersecurity Article 14 — Initial notification (24 h)
FORM-CRA-14.1 · 2026/06 - Manufacturer
- Forge Labs GmbH manual confirm
- Product
- forge-thermostat · firmware · v2.4.1 auto-filled by crawin
- Conformity assessment route
- Self-assessment (Annex IV) manual confirm
- Vulnerability ID
- CVE-2024-6387 (regreSSHion) auto-filled by crawin
- CVSS
- 8.1 · High auto-filled by crawin
- Affected component
- pkg:generic/openssh@9.2 (transitive) auto-filled by crawin
- Discovery method
- Automated CVE match (NVD feed, 2026-06-02 08:15 UTC) auto-filled by crawin
- Active exploitation
- Yes — public PoC observed manual confirm
- Detected at
- 2026-06-02 08:15:42 UTC auto-filled by crawin
- Submission deadline (24h)
- 2026-06-03 08:15 UTC auto-filled by crawin
Signatory __________________________ (Compliance officer)
Submitted Awaiting confirmation
Talks to the stack you already shipped
14 ecosystems. 30+ tools. One CI step.
Crawin sits next to the build you already have. No new platform team. No new SSO. No "migrate everything by Q3."
CI / CD
-
GitHub Actions -
GitLab CI -
Bitbucket Pipelines -
Jenkins -
CircleCI -
Buildkite
Source
-
GitHub -
GitLab -
Bitbucket -
Gitea -
Azure DevOps
Registry
-
Docker Hub -
GHCR -
ECR -
Artifactory -
Harbor
Languages
-
npm -
pypi -
cargo -
go modules -
maven -
gradle -
composer -
rubygems -
cocoapods -
swift -
nuget -
hex -
pub -
apt
Vuln feeds
-
NVD -
OSV -
ENISA EUVD -
GitHub Advisory -
CISA KEV -
EPSS
Downstream
-
Dependency-Track -
DefectDojo -
Jira -
Slack -
PagerDuty -
Webhook
Compliance-tier pricing, not enterprise-tier pricing
Priced for SME budgets. Built to satisfy SME auditors.
Every tier ships with the SBOM, the ENISA workflow, and the Trust Center. The difference between tiers is product count, team size, and reseller scope. Annual billing is 20% off everywhere.
Starter
For your first product on the CRA clock
99 € / month
1 product
- 1 product / repository
- CycloneDX + SPDX export
- Continuous CVE monitoring (NVD + OSV)
- Public Trust Center page
- GitHub / GitLab integration
- Email support
Growth
The September 11 ready tier
249 € / month
up to 5 products
- Up to 5 products
- Everything in Starter
- ENISA Art. 14 / 14.2 templates (24h, 72h, final)
- CRA conformity assessment dashboard
- SBOM version history & diff
- Slack / webhook alerts
- Priority email support
Scale
Multi-product manufacturers
499 € / month
up to 20 products
- Up to 20 products
- Everything in Growth
- Team roles (compliance / dev / auditor)
- REST + GraphQL API access
- Auditor evidence package export (PDF + JSON)
- CI gates on CVSS, license, age
- SLA-backed support
Consultant
For agencies serving SMEs
799 € / month
unlimited customer workspaces
- Unlimited client workspaces
- Everything in Scale
- White-label Trust Center
- Reseller billing & co-branding
- Per-client compliance reports
- Onboarding partner status
- Named CSM
EU-hosted (Frankfurt + Stockholm) Self-host available on every tier Launch pricing locked for first 200 waitlist signups Cancel any time, your SBOMs stay yours
September 11 doesn't move. Start before your competitor does.
Every Forge Labs, every Magna IoT, every two-person hardware startup you compete with is reading the same regulation right now. The ones with an SBOM workflow in place by then will route around the audit. The ones without will spend Q4 explaining themselves.
— days, — hours to mandatory ENISA reporting
Waves opening Q3 2026 · one email when yours opens