ANNOUNCE: shipcheck - CRA compliance auditor for Yocto builds

ANNOUNCE: shipcheck - CRA compliance auditor for Yocto builds

[Javier Tia]

Hi all,

(Cross-posted to yocto@lists.yoctoproject.org and
openembedded-core@lists.openembedded.org.)

I just published shipcheck, an open-source CLI that reads a Yocto build
directory and drafts the paperwork required by the EU Cyber Resilience
Act (Regulation 2024/2847) - the Annex VII technical file, the
Declaration of Conformity, and an evidence report pivoted by CRA Annex
item.

The short version: CRA is a paperwork regulation, not a
scanner-selection problem. Yocto already emits most of the technical
evidence - SPDX SBOMs via create-spdx, CVE scans via cve-check or
Bootlin's sbom-cve-check, license.manifest files, signing-class config.
What's missing is a tool that walks those artefacts, maps them onto the
CRA Annex structure, and renders the drafts a compliance officer can
review.

shipcheck does that piece, with seven registered checks:

  sbom-generation    SPDX 2.x validation against BSI TR-03183-2
  cve-tracking       consumes cve-check, vex.bbclass, and
                     sbom-cve-check JSON (the last is preferred)
  yocto-cve-check    reads tmp/log/cve/cve-summary.json directly
  license-audit      per-arch license.manifest walker
  secure-boot        detects signing class configuration and flags
                     known test keys
  image-signing      detects FIT signatures and dm-verity config
  vuln-reporting     validates the vendor-commitment half of the
                     dossier from a separate product.yaml manifest

It is deliberately narrow: Apache-2.0 Python, no runtime probes, no
shell-outs, no network calls at scan time, and no LLM or AI inference
anywhere in the pipeline - shipcheck is fully deterministic. An
auditor can read the check code and confirm exactly what each check
inspects.

Pilot 0001 (poky Scarthgap, core-image-minimal) is committed at
pilots/0001-poky-scarthgap-min/REPORT.md with the full kas-container
bootstrap. A worked example driven from a product-vendor.yaml (every
field set to the placeholder "VENDOR") is committed at
audits/0002-blog-demo/ if you want to read the generated Annex VII
and DoC drafts without running shipcheck locally.

Install:

  uv tool install shipcheck  # or: pipx install shipcheck
  cd path/to/yocto/build
  shipcheck init
  shipcheck check --build-dir . --format evidence --out dossier/

Blog post walks through the Annex structure, what Yocto gives you for
free, and where the paperwork gap lives:

  https://jetm.github.io/blog/posts/auditing-your-yocto-build-for-cra-compliance/

Repo:

  https://github.com/jetm/shipcheck

Feedback very welcome - especially from maintainers on the cve-check,
create-spdx, and vex side of things who have opinions on how the check
defaults should evolve. File an issue on GitHub, or reply here.

Best,
Javier

Re: ANNOUNCE: shipcheck - CRA compliance auditor for Yocto builds

[Olivier Benjamin]

On 4/24/26 11:20 PM, Javier Tia wrote:

> Hi all,
Hello Javier,
> (Cross-posted to yocto@lists.yoctoproject.org and
> openembedded-core@lists.openembedded.org.)
>
> I just published shipcheck, an open-source CLI that reads a Yocto build
> directory and drafts the paperwork required by the EU Cyber Resilience
> Act (Regulation 2024/2847) - the Annex VII technical file, the
> Declaration of Conformity, and an evidence report pivoted by CRA Annex
> item.
Thanks, it's great to have a tool filling that gap!
> The short version: CRA is a paperwork regulation, not a
> scanner-selection problem. Yocto already emits most of the technical
> evidence - SPDX SBOMs via create-spdx, CVE scans via cve-check or
> Bootlin's sbom-cve-check, license.manifest files, signing-class config.
> What's missing is a tool that walks those artefacts, maps them onto the
> CRA Annex structure, and renders the drafts a compliance officer can
> review.

Not super relevant, but I would dispute the "paperwork regulation" bit,
and one can only gloss over the "scanner-selection" issue if one assumes 
that
problem already solved.

> shipcheck does that piece, with seven registered checks:
>
>    sbom-generation    SPDX 2.x validation against BSI TR-03183-2
>    cve-tracking       consumes cve-check, vex.bbclass, and
>                       sbom-cve-check JSON (the last is preferred)
>    yocto-cve-check    reads tmp/log/cve/cve-summary.json directly
>    license-audit      per-arch license.manifest walker
>    secure-boot        detects signing class configuration and flags
>                       known test keys
>    image-signing      detects FIT signatures and dm-verity config
>    vuln-reporting     validates the vendor-commitment half of the
>                       dossier from a separate product.yaml manifest
>
> It is deliberately narrow: Apache-2.0 Python, no runtime probes, no
> shell-outs, no network calls at scan time, and no LLM or AI inference
> anywhere in the pipeline - shipcheck is fully deterministic. An
> auditor can read the check code and confirm exactly what each check
> inspects.
>
> Pilot 0001 (poky Scarthgap, core-image-minimal) is committed at
> pilots/0001-poky-scarthgap-min/REPORT.md with the full kas-container
> bootstrap. A worked example driven from a product-vendor.yaml (every
> field set to the placeholder "VENDOR") is committed at
> audits/0002-blog-demo/ if you want to read the generated Annex VII
> and DoC drafts without running shipcheck locally.
>
> Install:
>
>    uv tool install shipcheck  # or: pipx install shipcheck
>    cd path/to/yocto/build
>    shipcheck init
>    shipcheck check --build-dir . --format evidence --out dossier/
>
> Blog post walks through the Annex structure, what Yocto gives you for
> free, and where the paperwork gap lives:
>
>    https://jetm.github.io/blog/posts/auditing-your-yocto-build-for-cra-compliance/
Thanks, the blog post is very helpful!
> Repo:
>
>    https://github.com/jetm/shipcheck
>
> Feedback very welcome - especially from maintainers on the cve-check,
> create-spdx, and vex side of things who have opinions on how the check
> defaults should evolve. File an issue on GitHub, or reply here.
I haven't tested the tool yet, so more feedback to potentially come later,
but I would certainly be interested in being able to validate SPDX3.0 
output.
> Best,
> Javier

Cheers,

Olivier

>
>