Your Code Is Only as Secure as Your Dependencies
The CRA makes manufacturers responsible for the security of their entire supply chain β including every open source library, every transitive dependency, and every third-party component.
The Supply Chain Challenge
A typical web application has 500-1500 dependencies. Each one is a potential vulnerability:
# How many dependencies does your project actually have?
npm ls --all 2>/dev/null | wc -l # Node.js
pip install pipdeptree && pipdeptree | wc -l # Python
go mod graph | wc -l # GoCRA Supply Chain Requirements
- Document all components β SBOM with direct and transitive dependencies
- Assess supplier security β evaluate the security practices of your suppliers
- Monitor continuously β new CVEs affect existing dependencies daily
- Patch promptly β incorporate upstream security fixes in a timely manner
- Contractual requirements β ensure third-party suppliers meet CRA standards
Practical Implementation
# Automated supply chain monitoring
dependency-monitor:
schedule: "0 */6 * * *" # Every 6 hours
steps:
- generate-sbom
- scan-vulnerabilities
- check-license-compliance
- verify-supplier-attestations
- alert-on-findingsVendor Assessment Checklist
For each critical supplier, assess:
- Do they provide SBOMs for their products?
- Do they have a vulnerability disclosure process?
- What is their patch response time?
- Are they CRA-compliant themselves?
- Do they sign their releases?
Key Insight
The CRA creates a chain of responsibility. Your suppliersβ security posture directly affects your compliance. Choose suppliers who take security seriously β and verify, donβt trust.
Need help with CRA supply chain compliance? I help organizations build secure supply chain management. Get in touch.