12 analyses · 1 verdict

What we analyze, engine by engine

A single upload runs twelve independent analyses: inventory, quality, conformance, multi-engine vulnerabilities and exploit prioritization. Here is exactly what each one does.

Built for embedded

Generate the SBOM, then scan it

Zephyr and Yocto already emit SPDX SBOMs at build time. Produce them in your build, then drop them here for all twelve analyses.

Zephyr RTOS

west generates SPDX 2.3 from your build. Enable CONFIG_BUILD_OUTPUT_META:

west spdx --init -d build
# set CONFIG_BUILD_OUTPUT_META=y
west build -d build
west spdx -d build
# → build/spdx/app.spdx, zephyr.spdx,
#   build.spdx, modules-deps.spdx

Yocto / OpenEmbedded

The create-spdx class is inherited by default (INHERIT_DISTRO). Building an image emits an SPDX JSON:

bitbake core-image-minimal
# → tmp/deploy/images/MACHINE/
#   IMAGE-MACHINE.spdx.json
# meta-timesys / sbom-cve-check add
# CVE feeds to the Yocto flow

CRA readiness

Facts, not promises

The Cyber Resilience Act references the SBOM in Annex I, Part II, point (1), and Article 14 requires reporting of actively exploited vulnerabilities: early warning within 24h, notification within 72h, final report within 14 days of a fix (applies from 11 September 2026). This tool documents your gaps and prioritizes CVEs - it makes no certification claims.

Read the full CRA and SBOM evidence guide

Verified sources: docs.zephyrproject.org · docs.yoctoproject.org · digital-strategy.ec.europa.eu/en/policies/cra-reporting

Keep your scans and results

Create a free account to save your scan history and results across devices, re-open and rescan any SBOM, and use our API to scan from CI and pull results programmatically.