Skip to main content

Compliance Reports

scd-server generates a CRA Compliance Report — ready-made documentation for EU Cyber Resilience Act (CRA) and NIS2 conformity assessments.

Navigate here via Reports in the navbar.


CRA Compliance Report

The report is mapped to the EU Cyber Resilience Act essential requirements (Annex I, Part II — vulnerability handling) and contains:

  1. Executive Summary — scan activity, repositories, developer machines, and an overall status (Satisfactory / Review Needed / Action Required).
  2. Vulnerability Management Activity — current open Critical/High/Medium findings (deduplicated) and a monthly trend.
  3. OWASP Top 10 Coverage — findings by OWASP category, showing the breadth of testing.
  4. Documented Risk Decisions — accepted risks with rationale, accountable reviewer, and date.
  5. Remediated Vulnerabilities — findings fixed and verified by scan evidence, with time-to-fix (shown when there are remediations in the period).
  6. Developer Coverage & Knowledge Gaps — per-machine scanning coverage, inactivity flags, and recurring categories as training candidates.
  7. Open Vulnerabilities — current unresolved Critical/High findings per repository.

A closing Scope & Methodology section states plainly what the evidence covers and its limitations. The cover identifies the organisation (from your licence) and your Coordinated Vulnerability Disclosure (CVD) contact.

Set your CVD contact

To populate the CVD field, set your contact under Admin → Settings → Compliance. A coordinated vulnerability disclosure contact is a CRA requirement (Annex I, Part II).

Software Bill of Materials (SBOM)

An SBOM export is on the roadmap and is not yet part of this report.


Generating the report

The report builds automatically from current data when you open it, reflecting all non-excluded repositories and developer machines. Use the filters at the top to narrow it to a reporting period or a single repository.

Click Download PDF to export it (via your browser's print dialog) for submission to auditors or inclusion in technical documentation packages.


Who needs this

Teams subject to the EU Cyber Resilience Act (products with digital elements sold in the EU) or NIS2 (essential and important entities) need to document their vulnerability management processes. The CRA Compliance Report provides that documentation automatically — no manual assembly required.

See securecodebydesign.com for more on CRA/NIS2 compliance coverage.