We are actively working on CRA, being very conscious that it affects us and our users. So our approach is dual: a) to become CRA compliant, and b) enable our users to be compliant
We are working on different lines right now:
We will release a guide that summarises what the CRA is about and how it relates to balena
We currently have SBOM generation on an alpha mode. The goal is to make SBOMs available via the API, in some format that will enable you to generate your own reports.
Same with VCEs
We are discussing how/if we should enable SBOM/VCE scanning for our user’s docker images. We will probably do this in a 2-step approach since we don’t know if this is even a demand
We are planning to join some working groups that will help us understand the regulation, collaborate on standards, etc.
We are making changes to some of the features in balenaCloud and balenaOS to make them serve to the CRA
With these on-going tasks, plus some others that we will require, we don’t have a specific timeline. But just to mention that the CRA and security as a whole is a priority and we will be releasing features.
We’ll keep you updated!