Metadata-Version: 2.4
Name: cra-scanner
Version: 0.1.0
Summary: Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.
Author-email: CyberCert <info@cybercert.example>
License: MIT
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: click>=8.1
Requires-Dist: rich>=13.0
Requires-Dist: cyclonedx-python-lib>=7.6
Requires-Dist: spdx-tools>=0.8

# CRA Readiness Scanner (MVP)

The CRA Readiness Scanner is an open-source CLI tool that helps engineering teams quickly assess their readiness for the EU Cyber Resilience Act (CRA) from a single SBOM or project directory.

It focuses on three things:

- SBOM presence and basic quality
- Basic vulnerability exposure (stubbed for MVP)
- Signals of good vulnerability-handling practices

## Installation

Once published to PyPI:

```bash
pip install cra-scanner
```

For local development from this repository:

```bash
cd cli
pip install -e .
cra-scanner --help
```

## Quick start

Scan a project directory (auto-discover SBOMs and signals):

```bash
cra-scanner scan .
```

Scan using an explicit SBOM and emit JSON to a file:

```bash
cra-scanner scan . --sbom path/to/bom.json --format json --output report.json
```

## What the CRA Readiness Score means

The scanner returns a score from 0–100 based on:

- **SBOM (40 pts)** – existence, coverage, presence of versions.
- **Vulnerabilities (30 pts)** – placeholder in MVP.
- **Practices (30 pts)** – presence of `SECURITY.md`, Dependabot, and basic documentation signals.

The score is a directional indicator, not legal advice. It is intended to highlight gaps and next steps, not certify compliance.

