Generating a CRA dossier
How SBOMs, scans, and decisions compile into audit-ready technical documentation.
How the evidence you already collect compiles into audit-ready technical documentation.
1
Pull the SBOM
The current release's component inventory — the foundation the rest of the dossier references.
2
Attach vulnerability status
Every finding with its VEX decision — what's affected, what's not, and why.
3
Include the readiness assessment
Score against the CRA essential requirements, with gaps and how they were closed.
4
Compile the dossier
One document assembled from live evidence — regenerating as the product changes.
this is Proofwright
It's live.
See the real thing at Proofwright.