Scenario: a CRA conformity audit
The auditor arrives. Walk them from SBOM to VEX to dossier — every claim traceable to evidence.
A CRA conformity audit lands — walk the auditor through the SBOM, vulnerability evidence, readiness score, and dossier, every claim traceable to a record.
The auditor is in the room. The difference between a smooth day and a painful one isn't how good your intentions were — it's whether every assertion traces to evidence you can produce on the spot.
What the auditor asks to see
They ask forYou produce
Component inventoryCycloneDX SBOM, per release
Vulnerability handlingOSV log + VEX decisions
Readiness against essentialsScore with gaps closed
Technical documentationThe CRA dossier
The evidence, in order
- SBOM. Current, generated on build, matching the shipped artifact by digest.
- Vulnerability handling. Every finding with its VEX decision and the update that closed it.
- Readiness score. Each essential requirement scored, with the evidence behind it linked.
- Dossier. The technical file assembled from that live evidence, not written from memory the night before.
The readiness snapshot
Value
Readiness score94 / 100
Open gaps1 (tracked)
Evidence entriesTamper-evident
Dossierv14 · export-ready
An audit isn't a test of your product so much as a test of your paper trail. When every claim is one click from its evidence, audit day is a walkthrough, not an interrogation.
Proofwright keeps the trail audit-ready so the day is uneventful.
this is Proofwright
It's live.
See the real thing at Proofwright.