Getting started with Verimu
From zero to CRA-compliant in 5 minutes. Install the CLI, connect your account, add it to your pipeline — done.
On this page
Install the CLI
Verimu ships as a single npm package. You can run it instantly with npx — no installation required:
npx verimu
Or install it globally if you prefer:
npm install -g verimu
Requires Node.js 20+. Ships with full TypeScript types. Dual ESM/CJS — works with both import and require.
Run your first scan
Navigate to any project that has a lockfile and run verimu. It auto-detects your ecosystem, parses the lockfile, generates a CycloneDX SBOM, and checks all dependencies for known CVEs:
cd your-project npx verimu
You'll see output like this:
╦ ╦┌─┐┬─┐┬┌┬┐┬ ┬ ╚╗╔╝├┤ ├┬┘│││││ │ ╚╝ └─┘┴└─┴┴ ┴└─┘ CRA Compliance Scanner vX.Y.Z Scanning /home/user/my-app... No VERIMU_API_KEY set — running in offline mode Get your API key at https://app.verimu.com/dashboard/api-keys ┌─────────────────────────────────────────────┐ │ VERIMU CRA COMPLIANCE SCAN │ └─────────────────────────────────────────────┘ Project: /home/user/my-app Ecosystem: npm Dependencies: 247 Scanned at: 2026-02-13T10:30:00.000Z ✓ SBOM generated (cyclonedx-json, 1.7) Components: 247 ⚠ 3 vulnerabilities found: [CRIT] CVE-2024-4068 braces@3.0.2 → fix: 3.0.3 Uncontrolled resource consumption [HIGH] CVE-2024-28849 follow-redirects@1.15.4 → fix: 1.15.6 Sensitive data exposure via Authorization header [MED] CVE-2024-29041 express@4.18.2 → fix: 4.19.2 Open redirect via URL parsing Sources queried: osv (420ms) ─── Summary ─── Total: 3 | Critical: 1 | High: 1 | Medium: 1 | Low: 0 Thanks for using Verimu — keeping your software CRA-compliant 🛡️
Verimu writes the SBOM to ./sbom.cdx.json by default. This is your CRA-compliant software bill of materials — a machine-readable inventory of every dependency in your project, ready for regulatory audits.
Create your Verimu account
To unlock continuous monitoring, automated vulnerability alerts, and CRA reporting workflows, create a free account on the Verimu platform:
Create your account on app.verimu.comWhen you register, Verimu automatically generates a Default API key for you. You'll see it once — copy it immediately and store it securely (e.g., in your CI/CD secrets).
Your API key is shown only once. If you lose it, you can always generate a new one from the Developers page in your dashboard.
All data is stored on EU infrastructure. Verimu is built and hosted in Europe for companies that need data residency compliance.
Connect your API key
Set the VERIMU_API_KEY environment variable and run the scan again. Verimu will automatically create your project on the platform and upload the results:
export VERIMU_API_KEY=vmu_your_key_here npx verimu
With an API key, you'll see the upload step in the output:
API key detected — results will sync to Verimu platform ...scan output... Syncing to Verimu platform... ✓ Project created: my-app ✓ 247 dependencies tracked ⚠ 3 vulnerable dependencies flagged ✓ Dashboard: https://app.verimu.com/dashboard/projects/abc123
Projects are created automatically on first scan — you never need to set anything up in the dashboard manually. On subsequent runs, Verimu updates the existing project with the latest SBOM and dependency data.
Add to your CI/CD pipeline
This is where Verimu becomes your automated compliance engine. Add a single step to your CI pipeline so every push is scanned, SBOMs are kept up to date, and your team is alerted the moment a new CVE affects your dependencies.
Select your platform and ecosystem to get a ready-to-use config file:
name: Verimu CRA Scan
on:
push:
branches: [main]
pull_request:
jobs:
verimu:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Run Verimu scan
env:
VERIMU_API_KEY: ${{ secrets.VERIMU_API_KEY }}
run: |
# Ensure package-lock.json is committed.
npx verimu scan --fail-on HIGHDon't forget to add your secret. Add VERIMU_API_KEY as a CI/CD secret or environment variable in your provider's settings. Never commit API keys to source control.
CI gating is optional. Use --fail-on HIGH to fail your pipeline when vulnerabilities at HIGH or CRITICAL severity are found. Remove it to scan without blocking.
Monitor from your dashboard
Once your pipeline is running, everything flows into your Verimu dashboard at app.verimu.com. For each project you can see:
Vulnerabilities
Every CVE affecting your dependencies, sorted by severity, with fix versions when available.
Dependencies
Full list of direct and transitive dependencies tracked across scans.
SBOM Archive
Download your latest CycloneDX SBOM for compliance audits and regulatory reporting.
Contact Alerts
Configure team contacts to be notified when new vulnerabilities above a severity threshold are found.
Your compliance pipeline is now fully automated. Every commit is scanned, SBOMs are generated, and your team is alerted the moment a new CVE appears.
Open your dashboardCLI Reference
Commands
| Command | Description |
|---|---|
| verimu | Scan current directory (default command) |
| verimu scan | Full scan — SBOM generation + CVE check |
| verimu generate-sbom | Generate SBOM only, skip CVE checking |
| verimu help | Show help and usage examples |
| verimu version | Print version number |
Flags
| Flag | Description |
|---|---|
| --path, -p <dir> | Project directory to scan (default: current directory) |
| --output, -o <file> | SBOM output path (default: ./sbom.cdx.json) |
| --fail-on <severity> | Exit code 1 if vulnerabilities at or above: CRITICAL, HIGH, MEDIUM, LOW |
| --skip-cve | Skip CVE vulnerability checking (generate SBOM only) |
| --skip-upload | Don't sync results to the Verimu platform, even if API key is set |
Environment Variables
| Variable | Description |
|---|---|
| VERIMU_API_KEY | Your API key from app.verimu.com. Enables automatic upload of scan results to the dashboard. |
| VERIMU_API_URL | Custom API endpoint. Only needed if you're running a self-hosted backend (default: https://api.verimu.com). |
Examples
# Quick scan in current directory npx verimu # Scan with API key — results sync to dashboard VERIMU_API_KEY=vmu_xxx npx verimu # Scan a specific directory npx verimu scan --path ./backend # Fail CI on HIGH or CRITICAL vulnerabilities npx verimu scan --fail-on HIGH # Generate SBOM only (no CVE check, no upload) npx verimu generate-sbom --output ./reports/sbom.cdx.json # Scan but don't upload to platform npx verimu scan --skip-upload
Supported Ecosystems
Verimu auto-detects your ecosystem by looking for these lockfiles in your project root. No configuration needed.
| Ecosystem | Language | Lockfile |
|---|---|---|
| npm | Node.js / JavaScript | package-lock.json |
| pip | Python | requirements.txt / Pipfile.lock |
| Maven | Java | pom.xml |
| NuGet | C# / .NET | packages.lock.json |
| Cargo | Rust | Cargo.lock |
| Go Modules | Go | go.sum |
| Composer | PHP | composer.lock |
| Bundler | Ruby | Gemfile.lock |
Composer support is available via composer.lock.
API Reference
For custom integrations beyond the CLI, you can use the REST API directly. Authenticate with the X-API-Key header.
Canonical endpoint and schema reference: openapi.yaml.
/api/projects/upsertFind an existing project by name or create a new one. Returns the project and whether it was created.
curl -X POST https://api.verimu.com/api/projects/upsert \
-H "X-API-Key: vmu_your_key" \
-H "Content-Type: application/json" \
-d '{"name": "my-app", "ecosystem": "npm"}'/api/projects/:id/scanUpload a CycloneDX SBOM to a project. Verimu parses the components, stores them as dependencies, and runs CVE checks against all configured vulnerability databases.
curl -X POST https://api.verimu.com/api/projects/PROJECT_ID/scan \ -H "X-API-Key: vmu_your_key" \ -H "Content-Type: application/json" \ -d @sbom.cdx.json
/api/projects/:id/vulnerabilitiesRetrieve known vulnerabilities for a project, including CVE ID, severity, and description.
curl https://api.verimu.com/api/projects/PROJECT_ID/vulnerabilities \ -H "X-API-Key: vmu_your_key"
/api/projects/:id/dependenciesList all tracked dependencies for a project, including name, version, PURL, and ecosystem.
curl https://api.verimu.com/api/projects/PROJECT_ID/dependencies \ -H "X-API-Key: vmu_your_key"
Programmatic Usage
Import Verimu as a library for full control over scanning, SBOM generation, and CI gating.
scan()Full pipeline
import { scan, printReport, shouldFailCi } from 'verimu';
const report = await scan({
projectPath: '.',
sbomOutput: './sbom.cdx.json',
apiKey: process.env.VERIMU_API_KEY, // optional: enables upload
});
printReport(report);
// Gate CI on severity
if (shouldFailCi(report, 'HIGH')) {
process.exit(1);
}generateSbom()Pure function, no side effects
import { generateSbom } from 'verimu';
const result = generateSbom({
projectName: 'my-app',
projectVersion: '1.0.0',
dependencies: [
{ name: 'express', version: '4.18.2', ecosystem: 'npm' },
{ name: 'helmet', version: '7.1.0', ecosystem: 'npm' },
],
});
// result.content → CycloneDX JSON string
// result.sbom → parsed JavaScript object
// result.componentCount → 2Works in Node.js, Deno, Bun, and browsers. No filesystem or network access required.
TypeScript Types
import type {
VerimuConfig, // scan() input
VerimuReport, // scan() output
GenerateSbomInput, // generateSbom() input
GenerateSbomResult, // generateSbom() output
Dependency,
Vulnerability,
Severity, // 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'UNKNOWN'
Ecosystem, // 'npm' | 'pip' | 'maven' | 'nuget' | 'cargo' | 'go' | 'ruby' | 'composer'
} from 'verimu';Need help with integration?
We offer free 30-minute onboarding calls to walk your team through setup, CI/CD integration, and CRA reporting workflows.