ProofwrightScenario

Scenario: a CRA conformity audit

The auditor arrives. Walk them from SBOM to VEX to dossier — every claim traceable to evidence.

A CRA conformity audit lands — walk the auditor through the SBOM, vulnerability evidence, readiness score, and dossier, every claim traceable to a record. Related demos: Scenario: answering a security questionnaire and Scenario: choosing your conformity route.

The auditor is in the room. The difference between a smooth day and a painful one isn't how good your intentions were — it's whether every assertion traces to evidence you can produce on the spot.

What the auditor asks to see

They ask forYou produce
Component inventoryCycloneDX SBOM, per release
Vulnerability handlingOSV log + VEX decisions
Readiness against essentialsScore with gaps closed
Technical documentationThe CRA dossier

The evidence, in order

  1. SBOM. Current, generated on build, matching the shipped artifact by digest.
  2. Vulnerability handling. Every finding with its VEX decision and the update that closed it.
  3. Readiness score. Each essential requirement scored, with the evidence behind it linked.
  4. Dossier. The technical file assembled from that live evidence, not written from memory the night before.

The readiness snapshot

Value
Readiness score94 / 100
Open gaps1 (tracked)
Evidence entriesTamper-evident
Dossierv14 · export-ready
An audit isn't a test of your product so much as a test of your paper trail. When every claim is one click from its evidence, audit day is a walkthrough, not an interrogation.

Proofwright keeps the trail audit-ready so the day is uneventful.

this is Proofwright

It's live.

See the real thing at Proofwright.