CRAcheck API — EU Cyber Resilience Act Compliance

Does your product need to report under the EU CRA?

Scan your SBOM or package list and get an AI-powered CRA triage decision in seconds. Bulk vulnerability scanning, zero data retention, CI/CD-ready.

Request API access → See how it works ↓

cracheck — triage result

⚠ REPORT REQUIRED CRA Art. 14

CVE-2021-44228 · EPSS 0.975 KEV confirmed 72h deadline

Scanned in 1.4s · 0 bytes stored · requestId: a1b2c3…

10,000+

PURLs scanned per request

Live intel sources: OSV, EPSS, CISA KEV

Bytes of SBOM ever written to disk

SBOM formats: CycloneDX & SPDX

The problem

The official ENISA portal won't cut it for real work.

The EU Vulnerability Database exists — but it's built for human browsing, not developer pipelines. If your security workflow involves more than one CVE at a time, you're on your own.

ENISA EUVD euvd.enisa.europa.eu

No bulk scanning. One CVE lookup at a time through a browser UI.

No SBOM support. Can't ingest CycloneDX or SPDX documents.

No CRA triage. No logic to determine reporting obligations.

No CI/CD integration. Zero pipeline or automation support.

CRAcheck API api.cracheck.io/v1

Up to 10,000 PURLs per request. Bulk-ready from the first call.

Full SBOM scanning. CycloneDX, SPDX 2.x & 3.0 JSON-LD.

AI CRA triage. Structured reporting obligation decision per product.

CI/CD-safe. Idempotency keys — safe to retry in any pipeline.

How it works

Three requests. Full compliance picture.

Send your bill of materials, get live vulnerability intelligence, and receive an AI triage decision — in one workflow.

Submit SBOM or PURLs

POST a CycloneDX or SPDX document, or send a raw JSON array of package URLs. Up to 10,000 components, up to 15 MB — no pre-processing needed.

POST /v1/scan-sbom · /scan-purls

Live vulnerability intelligence

Every request queries OSV (multi-ecosystem), FIRST EPSS exploit-probability scores, and the CISA KEV catalog in real time. A freshness check runs before each scan.

OSV · FIRST EPSS · CISA KEV

AI CRA triage decision

Pass the scan findings to the triage endpoint. Receive a structured CRA reporting obligation: report, monitor, or no action required — with reasoning.

POST /v1/triage-stateless

Capabilities

Everything a compliance engineer actually needs.

Full SBOM scanning

CycloneDX 1.4–1.7 and SPDX 2.2, 2.3, 3.0.1 (JSON-LD). Auto-extracts and deduplicates all PURLs. Up to 15 MB per request.

Batch PURL scanning

No SBOM? Submit a raw JSON array of package URLs. Fast, lightweight lookup for teams that already know what they're shipping.

AI CRA triage

The /triage-stateless endpoint maps findings to CRA reporting obligations. No more manual regulation interpretation per release.

Zero data retention

SBOMs, PURLs, and results are never persisted. Only usage counters are stored for billing. Your IP stays yours.

CI/CD-safe idempotency

Every POST supports idempotency keys. Retry safely in automated pipelines without double-billing.

EPSS + KEV enrichment

Each finding enriched with FIRST EPSS exploit probability and CISA KEV flag. Know if a vulnerability is actively exploited.

Least-privilege keys

Scope service keys to stateless:analyze or sbom:ingest. Rotate without expanding privileges.

Freshness-checked intel

Readiness check before every scan. If a source is unreachable, the API returns 503 rather than stale data.

Transparent billing

Immutable usage events per request. Per-key rate limiting. Idempotent replays don't create duplicate billing events.

API reference

Developer-first from day one.

One API key. Drop it into your pipeline and know on every build whether you have a reportable vulnerability under the EU CRA.

HTTP Request

POST /v1/scan-purls
Authorization: Bearer sk_live_…
Content-Type: application/json
Idempotency-Key: 018f6e66-c5bd-7d7e-a8f3

{
  "purls": [
    "pkg:npm/lodash@4.17.20",
    "pkg:pypi/requests@2.28.1",
    "pkg:maven/log4j/log4j@1.2.17"
  ],
  "dry_run": false
}

POST /v1/scan-sbom
Authorization: Bearer sk_live_…
Content-Type: application/json
X-Product-Name: my-iot-firmware
X-Product-Version: 2.1.4

{
  "sbom": {
    /* CycloneDX or SPDX JSON document */
    "bomFormat": "CycloneDX",
    "specVersion": "1.6",
    "components": [ /* … */ ]
  },
  "dry_run": false
}

POST /v1/triage-stateless
Authorization: Bearer sk_live_…
Content-Type: application/json

// Pass scan findings from /scan-purls or /scan-sbom
{
  "findings": [ /* findings array from scan */ ],
  "product_name": "my-iot-firmware",
  "product_version": "2.1.4",
  "product_category": "IoT device"
}

// 200 OK — triage response
{
  "success": true,
  "requestId": "a1b2c3d4-e5f6-7890",
  "data": {
    "cra_obligation": "REPORT",
    "cra_article": "Article 14",
    "deadline_hours": 72,
    "critical_count": 2,
    "kev_matches": 1,
    "findings": [
      {
        "vuln_id": "CVE-2021-44228",
        "severity": "CRITICAL",
        "epss_score": 0.975,
        "kev": true
      }
    ]
  }
}

Core endpoints. One workflow.

Authenticate with a scoped service key. Submit your SBOM or PURLs, get enriched findings, then run AI triage — idempotency keys make every call retry-safe out of the box.

Pricing

Tailored to your compliance volume.

From individual assessments to enterprise-scale SBOM pipelines — we'll build a plan that fits your scanning volume, SLA requirements, and integration needs.

Request a quote → contact@expert-cra.eu

Early access

Know before the deadline.
Not after the fine.

The EU CRA reporting obligations are live. Join 60+ security teams already on the waitlist and get your API key the same day.

No spam. API key within 24h. Privacy policy.

Need full CRA compliance management?

The CRAcheck API is part of the expert-cra.eu compliance platform — CE marking, automated ENISA reporting, SBOM lifecycle management, and expert gap analysis.

Free CRA diagnostic → Explore the platform →

You're on the list! Check your email shortly.