EU CRA Compliance, automated.
Prismor automatically generates SBOM and VEX documents for every release, giving enterprises a clear path to EU Cyber Resilience Act compliance without manual overhead. Integrates with your existing CI/CD, GitHub, and security toolchain in minutes.
What the EU CRA Requires
The Cyber Resilience Act applies to all products with digital elements sold in the EU. It mandates machine-readable vulnerability documentation and ongoing monitoring throughout the product lifecycle.
Software Bill of Materials (SBOM)
A machine-readable inventory of every dependency in your software, required for CRA conformity assessment. Prismor generates SPDX 2.3 and CycloneDX SBOMs automatically on every scan.
Vulnerability Exploitability eXchange (VEX)
VEX documents clarify which known CVEs are actually exploitable in your product. Prismor auto-generates VEX statements so you can demonstrate due diligence without manual triage for every advisory.
Continuous Vulnerability Reporting
CRA requires ongoing monitoring and timely disclosure of actively exploited vulnerabilities. Prismor continuously re-scans and alerts your team to new CVEs, keeping your compliance posture current.
How Prismor Automates CRA Compliance
From first scan to audit-ready documentation, no manual steps, no specialist overhead.
Connect your repository
Point Prismor at any GitHub repository. Our GitHub App or CLI scans your entire dependency tree, including transitive dependencies, in seconds.
Automatic SBOM & VEX generation
Prismor produces a CRA-compliant SBOM in SPDX 2.3 or CycloneDX format and generates VEX statements for every detected CVE. Export as JSON, XML, or PDF, ready for your conformity assessment body.
Integrate with your existing tools
Prismor slots into your current pipeline, GitHub Actions, Jenkins, GitLab CI, Jira, Slack. No rip-and-replace. Enterprise customers can connect to their existing SIEM and vulnerability management platforms.
Continuous monitoring & AI-powered fixes
New CVEs are tracked automatically as they are published. Prismor's AI can open pull requests to upgrade vulnerable dependencies, keeping your SBOM and VEX accurate without manual intervention.
Built for Enterprise Scale
Whether you manage 10 repositories or 10,000, Prismor handles the compliance workload so your engineers can focus on shipping.
CI/CD-native scanning: Trigger scans on every PR or release tag. SBOMs generated fresh with every build.
SSO & role-based access: Enterprise SSO, audit logs, and granular permissions for large security teams.
Custom integrations: Bespoke connectors to your SIEM, GRC, or vulnerability management platform.
Go deeper
EU CRA Complete Guide
Timelines, SBOM requirements, VEX/CSAF, penalties, and sample SPDX JSON for 2026.
Read the guideSBOM Visualizer
Upload any SBOM and instantly explore your dependency tree, no login required.
Try the visualizerIntegration Docs
GitHub App, CLI, GitHub Actions, and CI/CD guides, up and running in under 10 minutes.
View docs