ANNOUNCE: shipcheck - CRA compliance auditor for Yocto builds

[Javier Tia <floss@jetm.me>]

Hi all,

(Cross-posted to yocto@lists.yoctoproject.org and
openembedded-core@lists.openembedded.org.)

I just published shipcheck, an open-source CLI that reads a Yocto build
directory and drafts the paperwork required by the EU Cyber Resilience
Act (Regulation 2024/2847) - the Annex VII technical file, the
Declaration of Conformity, and an evidence report pivoted by CRA Annex
item.

The short version: CRA is a paperwork regulation, not a
scanner-selection problem. Yocto already emits most of the technical
evidence - SPDX SBOMs via create-spdx, CVE scans via cve-check or
Bootlin's sbom-cve-check, license.manifest files, signing-class config.
What's missing is a tool that walks those artefacts, maps them onto the
CRA Annex structure, and renders the drafts a compliance officer can
review.

shipcheck does that piece, with seven registered checks:

  sbom-generation    SPDX 2.x validation against BSI TR-03183-2
  cve-tracking       consumes cve-check, vex.bbclass, and
                     sbom-cve-check JSON (the last is preferred)
  yocto-cve-check    reads tmp/log/cve/cve-summary.json directly
  license-audit      per-arch license.manifest walker
  secure-boot        detects signing class configuration and flags
                     known test keys
  image-signing      detects FIT signatures and dm-verity config
  vuln-reporting     validates the vendor-commitment half of the
                     dossier from a separate product.yaml manifest

It is deliberately narrow: Apache-2.0 Python, no runtime probes, no
shell-outs, no network calls at scan time, and no LLM or AI inference
anywhere in the pipeline - shipcheck is fully deterministic. An
auditor can read the check code and confirm exactly what each check
inspects.

Pilot 0001 (poky Scarthgap, core-image-minimal) is committed at
pilots/0001-poky-scarthgap-min/REPORT.md with the full kas-container
bootstrap. A worked example driven from a product-vendor.yaml (every
field set to the placeholder "VENDOR") is committed at
audits/0002-blog-demo/ if you want to read the generated Annex VII
and DoC drafts without running shipcheck locally.

Install:

  uv tool install shipcheck  # or: pipx install shipcheck
  cd path/to/yocto/build
  shipcheck init
  shipcheck check --build-dir . --format evidence --out dossier/

Blog post walks through the Annex structure, what Yocto gives you for
free, and where the paperwork gap lives:

  https://jetm.github.io/blog/posts/auditing-your-yocto-build-for-cra-compliance/

Repo:

  https://github.com/jetm/shipcheck

Feedback very welcome - especially from maintainers on the cve-check,
create-spdx, and vex side of things who have opinions on how the check
defaults should evolve. File an issue on GitHub, or reply here.

Best,
Javier