Be CRA-ready before September 2026
The CRA makes manufacturers accountable for the cybersecurity of their products, regardless of how the code was created. SonarQube gives teams an automated verification layer to identify vulnerabilities early, enforce security standards, and ship with confidence.
What is the Cyber Resilience Act?
The EU Cyber Resilience Act, (Regulation EU 2024/2847), sets mandatory cybersecurity requirements for in-scope products with digital elements made available on the EU market, regardless of whether the manufacturer is based in the EU.
Global reach
Applies to manufacturers of in-scope products with digital elements made available on the EU market, including manufacturers based outside the EU.
Broad scope
Covers many software and hardware products with digital elements, including B2B software products, consumer electronics, connected devices, and components.
Severe penalties
Non-compliance can result in fines up to €15 million or 2,5% of global annual turnover, whichever is higher.
AI code is your liability
The CRA makes no distinction between human-written and AI-generated code; you’re responsible for all of it.
The compliance clock is running
CRA obligations roll out in stages. Organizations need to begin preparing now — particularly for the vulnerability reporting deadline that arrives in September 2026.
November 2024
CRA enters into force
September 11, 2026
Reporting obligations for actively exploited vulnerabilities and severe incidents become mandatory
December 11, 2027
The CRA becomes generally applicable to in-scope products with digital elements made available on the EU market
Streamlined operational compliance for key CRA requirements
SonarQube brings together code quality, application security, dependency visibility, and release controls in a single developer-friendly platform across your SDLC.
Dedicated CRA Compliance Report
A purpose-built report that maps your entire codebase against specific CRA Annex I requirements, giving security and compliance teams instant visibility into their compliance posture and shareable evidence for regulators.
Advanced SAST
Deep, cross-procedural static analysis across 30+ languages detects security vulnerabilities including OWASP Top 10, CWE Top 25, and custom rule sets aligned to your risk profile.
Software Composition Analysis (SCA)
Continuous scanning of all open-source dependencies against NVD, EPSS, KEV, and OSV databases. Reachability analysis prioritizes only the vulnerabilities that are actually exploitable in your code.
Automated SBOM Generation
Generate machine-readable Software Bills of Materials with a single click, providing the traceable dependency inventory the CRA explicitly mandates for every product.
Secrets Detection
Industry-leading detection of 450+ secret types with a sub-1% false positive rate. Blocks hard-coded credentials from reaching repositories or AI coding agents before they become a breach risk.
Quality Gates & Profiles
Enforce your exact compliance and quality rules consistently across every developer and every AI coding tool. Automatically block non-compliant code from merging — with full audit trail generation.
Built-in Compliance Reports
Out-of-the-box reports for OWASP Top 10, OWASP ASVS, PCI DSS, CWE Top 25, STIG, MISRA C++:2023, and now the Cyber Resilience Act — all available within your existing workflow.
Dependency Risk Governance
Go beyond detection with review, assignment, status tracking, fix guidance, license-policy enforcement, and malicious-package alerts for third-party dependencies.
8 steps to CRA compliance with SonarQube
A practical checklist based on Annex I requirements — mapped to the SonarQube capabilities that automate each step.
1. Minimize vulnerabilities through SAST
Identify exploitable weaknesses early in development, satisfying the Article 13 mandate to minimize vulnerabilities before products reach market.
2. Safeguard system access
Scan the entire codebase to detect and block hard-coded API keys, passwords, and sensitive tokens, fulfilling the Annex I unauthorized access requirement.
3. Assess open-source risk continuously
Continuously monitor all third-party dependencies for known CVEs, supporting CRA obligations for transparency and lifecycle risk management.
4. Verify absence of known exploits
Utilize NVD, EPSS, KEV, and OSV databases to verify components are free from known risks — directly addressing the Annex I mandate to ship without known exploitable vulnerabilities.
5. Master supply chain transparency
Auto-generate machine-readable SBOMs to ensure a traceable inventory management process, meeting explicit CRA supply chain mandates.
6. Generate audit trails and proof
Maintain secure audit logs capturing lifecycle changes, configuration updates, and security events — simplifying CRA risk assessment documentation.
7. Enforce standards at point of creation
Empower developers with IDE feedback and configurable quality gates to ensure no non-compliant code ever proceeds to production.
8. Assess risk with strategic governance
Leverage portfolio dashboards for a high-level view of organizational compliance posture, transforming invisible code debt into visible data for security and risk leaders.
Additional resources
The Cyber Resilience Act: Why AI velocity demands automated verification
The conversation has moved from adoption to accountability. AI is no longer a future goal—it is the new baseline for software development.
Read more >
Cyber Resilience Act: Navigating speed and security with AI-coding
The EU Cyber Resilience Act (CRA) creates strict regulatory obligations for software manufacturers—including requirements for secure-by-design development, vulnerability handling, 24-hour incident reporting, and SBOM generation.
Read more >
Build your CRA compliance case today
SonarQube gives compliance and security teams the automated infrastructure to prove readiness — without slowing down development.