Skip to content
CRACI Docs

What is CRACI

CRACI is CI/CD reinvented through the lens of software supply chain security. Your builds run on CRACI’s GitHub Actions-compatible runners. As they run, CRACI observes every external dependency they pull in. From that it produces verifiable SBOMs that reflect what actually went into your artifacts. The result is a chain of trust from your source code to what you ship.

How it works

Section titled “How it works”

You keep your existing GitHub Actions workflows. Point a job at CRACI with runs-on: craci and it runs on a CRACI runner. As the build runs, CRACI observes every external dependency it pulls in and every artifact it produces, generating a verifiable SBOM of what actually went into your release. No SBOM plugins, no changes to your build logic.

Why CRACI

Section titled “Why CRACI”
  • Supply chain security at build time: CRACI watches the build as it happens. Unexpected dependencies and network access surface at their source instead of slipping silently into your release.
  • Industry-leading SBOM completeness: every external dependency is captured as the build runs. The SBOMs CRACI produces are among the most complete you can get.
  • Verifiable, not trust-me: you can independently verify that the SBOM and the artifacts it describes were produced by CRACI, from the commit it claims.
  • Secure without slowing down: you keep your existing workflows and your shipping velocity. The assurance comes from the runner, not from plugins or process you have to maintain.
  • CRA reporting readiness: SBOMs stay current with every build. They are ready for the CRA’s 24-hour reporting requirement without scrambling. CRA is one of the regulations CRACI helps with, not the whole story.

Who it’s for

Section titled “Who it’s for”

Teams that care about the security of their software supply chain and want provable evidence of what goes into their products, without trading away developer velocity. Scale-ups and enterprises facing both security and visibility challenges get the most out of CRACI. The same build-time assurance helps anyone who needs a trustworthy SBOM and provenance without rebuilding their delivery process.

If you ship software that falls under CRA regulation (physical products with digital components, or products with remote data processing), CRACI is a natural fit. It is just as useful to teams who care about supply chain integrity for its own sake.