EU-hosted · multi-tenant · sovereign by design

Prove your software
supply chain is secure.

CetraLog ingests your SBOMs, finds the vulnerabilities that actually matter, and produces signed, regulator-ready evidence — continuously, without your code ever leaving your perimeter.

Request a demo See how it works
CycloneDX 1.7
Full SBOM schema, incl. CBOM
4 feeds
OSV · GHSA · CISA KEV · CERT
SHA-256
Signed, tamper-evident ledger
EU DE / PL
Sovereign cloud hosting
Why CetraLog

Scanners give you a list. We give you an answer.

Compliance teams drown in raw CVE noise. CetraLog turns SBOMs into a prioritised, defensible security posture — and the paperwork to prove it.

01

Only what matters

Cross-reference every component against live exploit intelligence and your own VEX triage. Cut thousands of findings down to the handful you must act on.

02

Evidence, not effort

Every action is signed into a tamper-evident ledger and exportable as a regulator-ready packet. Audit prep goes from weeks to one click.

03

Your IP stays yours

Code is scanned and anonymised inside your perimeter — only sanitised metadata leaves. Suppliers and primes collaborate without exposing source.

The Platform

Everything from SBOM to sign-off.

One workspace covering the full supply-chain compliance lifecycle.

SBOM ingestion & validation

Parse CycloneDX 1.4–1.7 with full provenance, hashes, and cryptographic assets (CBOM). Validated against BSI TR-03183-2 on the way in.

Live vulnerability scanning

Batch-query OSV.dev, GitHub Advisories, CISA KEV, and sovereign CERT feeds. De-duplicated and matched to your components by PURL.

VEX triage engine

Mark findings not-affected, fixed, or under investigation — justifications kept for audit. Exports as CSAF 2.0 VEX; ingests supplier CSAF advisories.

CRA regulatory clock

Track the 24-hour early-warning and 72-hour technical-impact windows automatically, with countdowns and EOL alerts per component.

Sovereign federation

Primes and sub-vendors stay fully isolated, sharing only signature-verified SBOM handshakes. Supplier IP is masked end to end.

Signed audit ledger

Every compliance action is hash-chained with a SHA-256 receipt. Export a verifiable trail or a pre-filled ENISA/CSIRT notification.

How It Works

High-level architecture.

Five layers, one principle: proprietary code never leaves your perimeter — only sanitised, signed evidence flows out.

LAYER 1

Client perimeter

Build artifacts Syft / cdxgen Local anonymizer → sanitised CycloneDX
LAYER 2

Gateway & ingestion

Multi-tenant JWT routing BSI TR-03183-2 validator Recursive tree resolver
LAYER 3

Threat-intel engine

OSV.dev GHSA CISA KEV CERT-Bund / CERT.PL VEX override engine
LAYER 4

Compliance & ledger

CRA regulatory clock Multi-tenant graph store SHA-256 audit signer
LAYER 5

Export & dashboards

Live triage portal ENISA / CSIRT packets SPDX 3.0 / CycloneDX
Standards

Built for the Cyber Resilience Act.

CetraLog automates the technical evidence layer behind today's EU product-security mandates and defence procurement standards.

CRA

EU Cyber Resilience Act

SBOM transparency, documented vulnerability handling, VEX-based triage, and coordinated-disclosure timelines — generated automatically.

BSI

BSI TR-03183-2

Inbound SBOMs validated for required hashes, strict SPDX licensing, and field completeness before they ever enter your inventory.

CISA

CISA KEV (BOD 22-01)

Actively-exploited vulnerabilities flagged with due dates, ransomware status, and required remediation actions.

NIST

NIST SP 800-161r1

Supply-chain risk management — provenance verification, component integrity, and sovereign-feed advisory coverage.

Get Started

See it scan your supply chain.

Book a 30-minute walkthrough on a real SBOM — from ingestion to a signed, regulator-ready report.

Request a demo View on GitHub