SCANOSS is part­ner­ing with Codelab, a spe­cial­ist in embed­ded soft­ware engin­eer­ing and cyber­se­cur­ity, to help organ­isa­tions in the DACH region build audit-ready, CRA-com­pli­ant devel­op­ment pipelines.

With more than 20 years of exper­i­ence in embed­ded sys­tems and auto­mot­ive soft­ware, Codelab sup­ports organ­isa­tions in build­ing secure, com­pli­ant devel­op­ment envir­on­ments. The part­ner­ship pos­i­tions SCANOSS as a data lay­er with­in Codelab’s CRA Secure Pipeline, a solu­tion designed to oper­a­tion­al­ise CRA require­ments across the soft­ware lifecycle.

The CRA intro­duces clear oblig­a­tions for man­u­fac­tur­ers and soft­ware pro­viders, includ­ing the need to main­tain accur­ate soft­ware invent­or­ies, demon­strate con­trol over third-party com­pon­ents, and address vul­ner­ab­il­it­ies through­out the product life­cycle. For organ­isa­tions work­ing with embed­ded sys­tems, these require­ments are par­tic­u­larly com­plex due to long product life­cycles, lim­ited vis­ib­il­ity into leg­acy code, and extens­ive use of third-party components.

Codelab’s CRA Secure Pipeline brings togeth­er estab­lished DevSecOps tools such as Git­Lab and Son­ar­Qube with SCANOSS data, enabling con­tinu­ous ana­lys­is of source code as part of the devel­op­ment work­flow. Through this integ­ra­tion, organ­isa­tions can identi­fy open source com­pon­ents, detect licence oblig­a­tions, and gain vis­ib­il­ity into cryp­to­graph­ic imple­ment­a­tions dir­ectly at the code level.

This level of vis­ib­il­ity sup­ports key CRA require­ments, includ­ing the cre­ation and main­ten­ance of Soft­ware Bills of Mater­i­als (SBOMs), as well as the emer­ging need for more detailed cryp­to­graph­ic invent­or­ies. By sur­fa­cing encryp­tion algorithms in use, SCANOSS data enables organ­isa­tions to move towards Cryp­to­graphy Bills of Mater­i­als (CBOMs), an increas­ingly rel­ev­ant cap­ab­il­ity as reg­u­lat­ory and post-quantum con­sid­er­a­tions evolve.

“Codelab’s CRA Secure Pipeline is exactly the kind of integ­rated, work­flow-level approach that SCANOSS is built to sit inside. Their cus­tom­ers in the DACH region are deal­ing with real CRA pres­sure across auto­mot­ive and indus­tri­al product lines, and they need soft­ware trans­par­ency that’s con­tinu­ous and audit­able — not a one-off scan. We’re glad to be part of that solution.”

Charles Facey, Part­ner Sales Man­ager, SCANOSS


“Codelab cus­tom­ers need more than a oneoff SBOM scan – they need con­tinu­ous, audit­able vis­ib­il­ity into what actu­ally goes into their code. By embed­ding SCANOSS as the open source and cryp­to­graphy data lay­er inside our CRA Secure Pipeline, devel­op­ment teams can auto­mat­ic­ally identi­fy OSS com­pon­ents, under­stand license oblig­a­tions and build both SBOM and emer­ging CBOM arti­facts dir­ectly from their Git­Lab work­flows. This makes it much easi­er for embed­ded and auto­mot­ive man­u­fac­tur­ers to oper­a­tion­al­ise CRA require­ments without redesign­ing their entire toolchain”

Sła­womir Kukur­enda, Solu­tion Man­ager, Codelab.

Codelab’s approach com­bines pro­cess, tool­ing, and reg­u­lat­ory expert­ise, while SCANOSS provides the under­ly­ing data needed to under­stand open source usage and cryp­to­graph­ic expos­ure. For DACH-region cus­tom­ers, Codelab deliv­ers loc­al-lan­guage enable­ment, first-line sup­port, and deep imple­ment­a­tion expert­ise across embed­ded and auto­mot­ive environments. 

SCANOSS provides deep vis­ib­il­ity into the soft­ware sup­ply chain, powered by the SCANOSS KB, to help organ­isa­tions detect undeclared open source. SCANOSS is designed to integ­rate into exist­ing developer and DevSecOps work­flows, mak­ing soft­ware trans­par­ency part of every­day engin­eer­ing practice.

For more inform­a­tion about the CRA Secure Pipeline: https://lp.Codelab.eu/cra-pipeline

For more inform­a­tion the CRA in gen­er­al you can also find here: https://codelab.eu/CRA