Product overview
CRA Ledger connects SBOM intake, vulnerability review, remediation tracking, audit history, and readiness reporting across product versions.
CRA Ledger Operations Console
Real product view
Live product dashboard example — portfolio evidence, SLA pressure, and review progress.
Product capabilities
A structured operating layer for product-version evidence, SBOM intake, vulnerability review, remediation work, and retained activity history.
Connect SBOMs, findings, and evidence to product/version context for retained release history.
Attach supporting files or external references to vulnerability review decisions.
Record review status, justification, details, and reviewer context for vulnerability decisions.
Retain owner, reviewer, and timestamp context across review and evidence activity.
Upload SBOM files through the product workflow or authenticated intake endpoints.
Detect and parse supported CycloneDX and SPDX formats for review.
Turn component data into structured, searchable component records.
Retain uploaded source artifacts with source metadata and SHA-256 hash records.
Keep filenames, upload metadata, and content hashes tied to retained evidence.
Review CVE findings against normalized component inventories.
Track severity, review status, and ownership across vulnerability findings.
Surface overdue and time-sensitive vulnerability review pressure based on severity timelines.
Capture remediation status, notes, resolved dates, and supporting evidence references.
Preserve review records, evidence attachments, report history, and ingestion activity.
Track tenant-scoped operational and review activity for later inspection.
Prepare product-security summaries and reports for readiness conversations.
Download available reports and evidence summaries without claiming legal certification.
Notification delivery is available where configured; alert coverage is still expanding.
Programmatic SBOM intake exists for authenticated workflows, not a broad public API program.
Webhook subscriptions support intake events; broader integration coverage is still maturing.
Dispatch finding status alerts directly to engineering channels.
Sync findings from external scanners and registries.
Keep workspace data, reports, and audit history scoped to the tenant context.
Assign Auditor, Engineer, or Admin roles to enforce least privilege access.
Provide system administrators with audit records of configuration changes.
Provide a public contact path for responsible security reports.
Workflow outcomes
Keep product security work connected from intake to release-ready evidence.
SBOMs, findings, decisions, and remediation history stay tied to a product release.
CVEs, ownership, SLA pressure, and review decisions stay visible in one workflow.
Original uploads, decisions, timestamps, and evidence history are preserved for CRA readiness.
Process flow
A systematic pipeline designed to turn raw engineering artifacts into retained product-security evidence records.
Register a software product and define its release version.
Upload CycloneDX or SPDX files to index the component inventory.
Automatically parse and map component coordinates for structured review.
Triage CVEs with severity details, review state, and decisions.
Monitor SLA pressure, remediation status, and review updates.
Retain the upload artifacts, decisions, and reviewer timestamps.
Prepare evidence summaries and reports for release-readiness reviews.
Deliverables
CRA Ledger helps teams keep SBOMs, vulnerability decisions, remediation context, timestamps, reviewer context, and audit activity connected to the product version they belong to.
Retain raw CycloneDX and SPDX files with source metadata and SHA-256 hash records.
Vulnerability decisions can document rationale, reviewer context, status, and timestamps.
SLA state, finding status, and remediation notes stay connected to affected components.
Historical logs track re-analysis runs, imports, and user modifications.
Summaries and reports help teams discuss readiness without claiming legal certification.
Product status
CRA Ledger separates current evidence-workflow capabilities from roadmap ideas so teams can evaluate the product without roadmap ambiguity.
Current workflow areas presented as active CRA Ledger product capabilities.
Capabilities that exist in limited form today or depend on configuration and workflow coverage.
Future product directions, shown separately so buyers can distinguish what exists from what is coming next.
Trust and scope
CRA Ledger helps organize product security evidence and CRA readiness workflows. It does not provide legal certification, notified body approval, or a guarantee of compliance.
Next step
Join early access or book a focused walkthrough of the SBOM-to-evidence workflow.