CRA compliance
shouldn't be complicated.
Verimu scans your dependencies, generates CRA-compliant SBOMs, and alerts you instantly when a vulnerability is discovered. One install. Zero training.
Mandatory vulnerability reporting begins in
September 11, 2026 — Penalties up to €15M or 2.5% of global turnover
Made by medtech engineers who've been through CRA compliance.
We built Verimu because we needed it ourselves. Our team has hands-on experience implementing CRA and IEC 62443 requirements in regulated European industries. We know the pain of generating SBOMs, tracking vulnerabilities, and producing audit-ready documentation — so we automated it.
✓ Scanned 847 dependencies ✓ SBOM generated (CycloneDX 1.7) ✓ Cross-referenced NVD, EUVD, CISA KEV ⚠ 2 vulnerabilities found: CVE-2026-1234 lodash@4.17.20 HIGH CVE-2026-5678 express@4.18.1 MEDIUM → Alert sent to: cto@acme.eu, security@acme.eu → CRA report: verimu.com/reports/acme-2026-02 → Next review deadline: 72h (Feb 10, 2026)
Enterprise tools charge thousands per month.
They still don't solve CRA compliance.
Most SCA tools were built for American security teams, not European compliance officers. Verimu was built specifically for the EU Cyber Resilience Act.
| Feature | Verimu from €49/mo | Enterprise SCA €2,000–5,000+/mo |
|---|---|---|
| CRA-specific compliance reports | ||
| SBOM generation (CycloneDX) | ||
| CVE alerting | ||
| 24h→72h→14d CRA notification workflow | ||
| EUVD (EU Vulnerability Database) | ||
| CRA conformity score per project | ||
| Setup in under 5 minutes | ||
| No security training required | ||
| EU-hosted infrastructure | ||
| Price includes all features |
Need an SBOM right now?
Paste your package.json and generate a CRA-compliant CycloneDX 1.7 SBOM instantly in your browser. No install needed.
Three steps. Zero confusion.
No training required. Your engineering team adds one line — Verimu handles the rest.
Step 1 — Add the GitLab CI Job
Add the Verimu stage to your .gitlab-ci.yml. Connects to your project with read-only access.
Step 2 — Set Alert Contacts
Define who gets notified when a CVE affects your dependencies. Assign by project, severity, or team.
Step 3 — You're CRA Compliant
SBOMs generate automatically every commit. CVE alerts fire in real-time. Download compliance reports anytime.
verimu-compliance:
image: node:20
stage: test
variables:
VERIMU_API_KEY: $VERIMU_API_KEY
script:
- npx verimu scan --fail-on HIGH
artifacts:
paths:
- sbom.cdx.json# That's it. SBOM generated. CVEs checked. Alerts sent.
Want to see the SBOM output before you install anything?
Try It Now — Generate an SBOM in Your BrowserNo install, no signup. Runs entirely in your browser.
Verimu supports NuGet (C#/.NET), Maven (Java), Cargo (Rust), go.mod (Go), npm (Node.js), pip (Python), Composer (PHP), and Bundler (Ruby) — across GitHub, GitLab, and Bitbucket. Need another package manager? Let us know.
Compliance shouldn't break the bank.
Start free. Upgrade when you're ready. No lock-in, no surprises.
Free
Try Verimu on a single repo. No credit card required.
- 1 repository
- Basic CVE scanning
- SBOM export (CycloneDX)
- Weekly email digest
- Community support
Starter
For small teams getting CRA-ready.
- Up to 5 repositories
- Real-time CVE alerts
- SBOM per commit (CycloneDX & SPDX)
- Up to 5 alert contacts
- CRA compliance dashboard
- Slack & Teams integration
- Email support (48h)
Professional
Full CRA compliance for growing companies.
- Up to 25 repositories
- Real-time CVE alerts + CISA KEV
- SBOM per commit (all formats)
- Unlimited alert contacts
- CRA conformity reports (PDF)
- 24h → 72h → 14d notification workflow
- EUVD integration
- Priority support (24h)
- Audit log
Start your CRA compliance today.
Get early access to Verimu. We'll have you compliant in under 5 minutes.