Skip to main content
WP HealthKit
Back to Features
EU CRA · September 2026 · Included on all plans

Automatic SBOM generation for every plugin you audit

Every WP HealthKit audit extracts your Composer and npm dependencies and generates a machine-readable Software Bill of Materials in CycloneDX 1.6 format — ready for CRA compliance documentation.

Generate your SBOMCRA compliance guide

What is an SBOM?

An SBOM is a manifest of every library your software uses — its name, version, and license. The EU Cyber Resilience Act makes SBOM mandatory for commercial software sold to EU users from September 2026. Without one, you cannot legally sell to EU customers or enterprise procurement processes that require CRA documentation.

What WP HealthKit generates

CycloneDX 1.6

Required by most EU procurement

Machine-readable JSON. The format required by most EU procurement processes. Includes package URLs (PURL), version, license identifier, and any known CVEs cross-referenced from the same audit.

JSONPURLCVE cross-referenceEU CRA preferred

SPDX 2.3

OWASP / NIST preferred

The OWASP and NIST preferred format. Compatible with GitHub dependency graph and US government procurement requirements.

JSON / tag-valueGitHub compatibleNTIA compliant

What it covers

Composer packages
All PHP dependencies from composer.lock, including transitive dependencies.
npm packages
All JavaScript dependencies from package-lock.json or yarn.lock.
Missing lockfile detection
Flags if no lock file is present — SBOM cannot be generated accurately without a lockfile.
CVE cross-reference
Any bundled library with a known vulnerability appears in both the SBOM and the findings list.

How to get your SBOM

1

Download from results page

Every completed audit has a Download SBOM button in the Export tab. Available in both formats.

2

REST API

Fetch programmatically.

GET /api/v1/reports/{auditId}/sbom?format=cyclonedx
3

MCP tool

Call in the WP HealthKit MCP server from any AI coding tool.

generate_sbom

CRA compliance context

The EU Cyber Resilience Act requires commercial software vendors to maintain a VDP, publish an SBOM, and keep a security changelog. Here is what WP HealthKit handles automatically and what remains your responsibility.

SBOM documentationHandled by WP HealthKit
CRA compliance scanHandled by WP HealthKit
Vulnerability disclosure policy (VDP)Your responsibility
Security changelogYour responsibility

For full CRA requirements and a step-by-step compliance checklist, see the CRA compliance guide.

Start your CRA compliance workflow — free, no card required.

Every audit generates a CycloneDX 1.6 SBOM automatically. No extra steps.

Generate your SBOM
SBOM Generation for WordPress Plugins — CRA Compliance | WP HealthKit | WP HealthKit