Tutorial: Full CRA Walkthrough

This tutorial walks through the complete CRA Module A assessment lifecycle using SyncPad — a collaborative document editor — as the example product. SyncPad is the reference product from Risk, Evidence and Conformity: The Cyber Resilience Act for Default Products.

About SyncPad

SyncPad v2.0 is a web-based collaborative editor:

Stack: Node.js/Express backend, React frontend, PostgreSQL, Redis
Features: Real-time collaboration, file upload, PDF export, user accounts
Deployment: Cloud-hosted SaaS (RDPS applicable)
Classification: Default product (Module A self-assessment)

Phase 1: Initial Scan

Scan the codebase:

fleet scan --path ./syncpad \
  --output json --output-file syncpad-scan.json \
  --sbom --cbom \
  --report syncpad-module-a.md

Review the summary:

Findings:     238
  Pass:       67
  Fail:       45
  Review:     126
SBOM: 1,247 components
CBOM: 52 crypto primitives (46 approved, 3 deprecated, 3 prohibited)

Register the product on the platform:

curl -X POST /api/v1/assessment/products \
  -d '{
    "name": "SyncPad",
    "version": "2.0.0",
    "ruleset_id": "default-ruleset-uuid",
    "repo_url": "https://github.com/syncpad/syncpad"
  }'

Upload scan results:

curl -X POST /api/v1/assessment/products/{id}/scans \
  -d @syncpad-scan.json

Phase 2: Automated Evidence (Auto + Semi)

Auto findings (67 pass, 45 fail)

These are already assessed. Review the failures:

Category	Failures	Examples
Crypto	3	MD5 in avatar hash, SHA-1 in legacy import
Network	5	HTTP URL for analytics, hardcoded Redis password
Auth	2	Password logged in debug mode
Config	1	Debug mode enabled in default config
Supply chain	2	Missing lockfile integrity, no vuln scanning in CI
Vuln handling	3	No security.txt, no SECURITY.md, no disclosure policy

LLM review for Semi findings

fleet scan --path ./syncpad --llm claude --output json --output-file syncpad-llm.json

Claude reviews the 126 needs_review findings and produces evidence:

After LLM review:
  Pass:       143  (was 67)
  Fail:       52   (was 45)
  Review:     43   (was 126)
  LLM reviewed: 83

Phase 3: Triage Remaining Findings

Use bulk triage for the 43 remaining needs_review findings:

curl -X POST /api/v1/assessment/products/{id}/triage \
  -d '{
    "triaged_by": "security-team",
    "actions": [
      { "requirement_id": "NET-SVC-01-R2", "action": "accept",
        "justification": "Authorization checks verified in code review" },
      { "requirement_id": "INPUT-04-R1", "action": "false_positive",
        "justification": "Node.js is memory-safe, bounds checking N/A" },
      { "requirement_id": "UPD-FW-01-R1", "action": "false_positive",
        "justification": "SaaS product, no firmware updates" }
    ]
  }'

Phase 4: Fix Critical Findings

Create remediations for the confirmed failures:

# Fix MD5 usage
curl -X POST /api/v1/assessment/products/{id}/remediations \
  -d '{
    "requirement_id": "CRYPTO-01-R1",
    "description": "Replace MD5 with SHA-256 for avatar hashing",
    "assigned_to": "backend-team",
    "ticket_url": "https://linear.app/syncpad/ENG-501"
  }'

# Add security.txt
curl -X POST /api/v1/assessment/products/{id}/remediations \
  -d '{
    "requirement_id": "VH-ID-01-R1",
    "description": "Create .well-known/security.txt with contact info",
    "assigned_to": "devops",
    "ticket_url": "https://linear.app/syncpad/ENG-502"
  }'

Phase 5: Document Processes (Doc Evidence)

Start a questionnaire session for the 187 Doc requirements:

# Start session
curl -X POST /api/v1/assessment/products/{id}/questionnaire

# Answer vulnerability handling questions
curl -X POST /api/v1/assessment/questionnaire/{session}/answer \
  -d '{
    "requirement_id": "VH-REG-01-R1",
    "answer": "ENISA notification process: 1) Security team assesses severity within 4 hours. 2) If notifiable, early warning submitted within 24 hours via ENISA portal. 3) Full notification within 72 hours. Process owner: CISO. Last drill: 2026-03-15."
  }'

# Answer update support questions
curl -X POST /api/v1/assessment/questionnaire/{session}/answer \
  -d '{
    "requirement_id": "UPD-LIFE-01-R1",
    "answer": "SyncPad v2.0 support period: 5 years from December 2026. Security updates provided free of charge. Published at https://syncpad.com/support-policy."
  }'

Phase 6: Verify and Report

Re-scan after fixes:

fleet scan --path ./syncpad --llm claude --ci \
  --api-url https://fleet.example.com \
  --api-key $KEY

Check gap analysis:
Terminal window
```
curl /api/v1/assessment/products/{id}/gap-analysis
```
Target: 0 non_compliant, minimal needs_evidence.

Generate final Module A report:

fleet scan --path ./syncpad --report syncpad-module-a-final.md

Verify remediations:

curl -X POST /api/v1/assessment/remediations/{id}/verify \
  -d '{"verified_by": "qa-team", "scan_id": "latest-scan-uuid"}'

Phase 7: Set Up Continuous Monitoring

name: CRA Compliance
on:
  push:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'  # Weekly full scan

jobs:
  cra-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: fleet scan --path . --ci --llm off --sbom --cbom
        env:
          FLEET_API_URL: ${{ secrets.FLEET_API_URL }}
          FLEET_API_KEY: ${{ secrets.FLEET_API_KEY }}

Every commit now produces timestamped evidence. The dashboard shows compliance trajectory over time.

Deliverables Checklist

At the end of this process, SyncPad has: