How Verimu works under the hood.
The technical details your engineering team needs. Dependency scanning, SBOM generation, CVE monitoring, and CRA reporting — explained.
Architecture
Verimu integrates with your CI/CD platform and triggers on push events. When your team pushes code, Verimu reads your project's dependency manifest, performs two operations in parallel, and reports back.
SBOM Generation
We use CycloneDX to generate a machine-readable Software Bill of Materials. The SBOM lists every dependency (direct and transitive), their versions, licenses, and provenance — exactly what the CRA requires under Article 11.
Current output format: CycloneDX 1.7 (JSON).
CVE Scanning
Every dependency is cross-referenced against multiple vulnerability databases. We query by package name and version range to find known CVEs affecting your exact dependency tree.
Data sources: GitHub Advisory Database, NIST NVD, and CISA KEV (Known Exploited Vulnerabilities).
Data Flow
┌─────────────┐ push event ┌──────────────┐
│ Your Repo │ ───────────────→ │ Verimu API │
│ │ │ │
└─────────────┘ └──────┬───────┘
│
┌────────────┼────────────┐
▼ ▼ ▼
┌────────────┐ ┌─────────┐ ┌──────────┐
│ CycloneDX │ │ GitHub │ │ NVD/EUVD/CISA │
│ SBOM Gen │ │ Advisory│ │ APIs │
└─────┬──────┘ └────┬────┘ └────┬─────┘
│ │ │
▼ ▼ ▼
┌────────────────────────────────────────────┐
│ Verimu Dashboard │
│ • SBOM stored & versioned │
│ • Dependencies and CVEs linked │
│ • Email alerts sent to project contacts │
└────────────────────────────────────────────┘CRA Compliance Details
Article 11 — Vulnerability Handling
The CRA requires manufacturers to identify and document vulnerabilities in their products, including all third-party components. Verimu's SBOM generation and CVE scanning directly addresses this by maintaining a living dependency inventory with vulnerability cross-referencing.
24-Hour Reporting Window
Starting September 11, 2026, actively exploited vulnerabilities in your dependencies must be reported to ENISA within 24 hours. Verimu surfaces KEV-tracked vulnerabilities and can email project contacts when new issues are detected.
Current Notification Scope
MVP notifications trigger when newly detected vulnerabilities meet each contact's severity threshold. Delivery is email plus optional per-project Slack webhooks. Timeline orchestration and formal CRA report generation are planned separately.
SBOM as Compliance Evidence
CRA requires a machine-readable SBOM identifying at minimum the top-level dependencies of the product. Verimu generates CycloneDX 1.7 JSON SBOMs on each scan so compliance evidence stays current.
API Source Of Truth
Verimu publishes an OpenAPI contract in the backend repository so the website docs, CLI integration examples, and dashboard clients stay aligned with live endpoints.
Integration
Select your platform and package manager to see the exact configuration for your project:
CI Configuration
verimu-compliance:
image: node:20
stage: test
variables:
VERIMU_API_KEY: $VERIMU_API_KEY
script:
- npx verimu scan --fail-on HIGH
artifacts:
paths:
- sbom.cdx.jsonSupported CI/CD platforms
Supported package managers
Need another CI/CD framework or package manager? Let us know and we'll prioritize it.
REST API
For teams that want programmatic access to project data and scans, Verimu exposes a REST API today. Common endpoints:
Source of truth: openapi.yaml
POST /api/projects/upsert # create/find project
POST /api/projects/{id}/scan # upload CycloneDX SBOM + run scan
GET /api/projects/{id}/dependencies # resolved dependency inventory
GET /api/projects/{id}/vulnerabilities # project CVEs
GET /api/projects/{id}/contacts # notification contacts