CRA Enforcement Deadline:
-- Days
-- Hours
-- Min
Act Now

Quick Start Guide

Get up and running with CRA Compliance Suite in 5 minutes. This guide walks you through signing up, uploading your first plugin, running a scan, and understanding the results.

1

Sign Up for Free

Start with our free plan—no credit card required, no limitations during your first analysis.

  1. Go to app.cra-compliance.store
  2. Click "Sign Up"
  3. Enter your email address and create a password
  4. Verify your email (check your inbox for a confirmation link)
  5. Log in to your account

You're now logged into CRA Compliance Suite. Welcome!

2

Upload Your Plugin

Analyze your first WordPress plugin to see what compliance gaps exist.

  1. From the dashboard, click "New Analysis" or "Upload Plugin"
  2. Select the plugin ZIP file from your computer (or the plugin folder)
  3. Choose the WordPress version your plugin is tested with
  4. Click "Upload" and wait for analysis to complete (usually 30-60 seconds)

Finding Your Plugin File

If you manage your plugin through WordPress.org, download the latest version from your plugin page. Otherwise, export the plugin folder as a ZIP file.

3

Review the Analysis Report

Once analysis completes, you'll see a comprehensive report covering SBOMs, vulnerabilities, and compliance status.

What You'll See:

  • Software Bill of Materials: Complete list of all dependencies and components in your plugin
  • Vulnerability Scan Results: Any known vulnerabilities detected in your code or dependencies
  • Compliance Score: Your current compliance level (0-100%)
  • Recommendations: Specific actions to improve compliance
  • SBOM Downloads: Download SBOMs in CycloneDX and SPDX formats

Understanding Your Score

  • 90-100%: Your plugin is highly compliant. Focus on documentation and final preparations.
  • 70-89%: Good starting point. Address the identified vulnerabilities and gaps.
  • 50-69%: Moderate compliance. You have significant work ahead, but it's achievable.
  • Below 50%: Substantial compliance work needed. Start with critical vulnerabilities and dependency updates.
4

Download Your SBOM

The Software Bill of Materials is the foundation of CRA compliance. Download and save it.

  1. On your analysis results page, look for the "Downloads" section
  2. Click "Download CycloneDX SBOM" to get the JSON format (best for security tools)
  3. Click "Download SPDX SBOM" to get the ISO-standard format (best for license compliance)
  4. Save both files somewhere you can access them easily

Using Your SBOM

Your SBOM is now your source of truth for what's in your plugin. You'll update it with each release, use it to track vulnerabilities, and reference it in your CRA compliance documentation.

5

Review Recommendations and Next Steps

The report includes specific recommendations. Here's what to prioritize:

If You Have Critical Vulnerabilities:

  1. Note which dependencies have critical vulnerabilities
  2. Check if updates are available for those dependencies
  3. Plan to update them in your next release
  4. Add security testing to prevent similar issues in the future

If You Have High-Severity Findings:

  1. Review the specific findings (SQL injection, XSS, insecure defaults, etc.)
  2. Plan fixes for your next release
  3. Consider implementing automated security testing

If Your Score is Low:

  1. Prioritize critical and high-severity vulnerabilities first
  2. Update your dependencies to current versions
  3. Start creating documentation (technical docs, security policy)
  4. See our Compliance Checklist for a structured approach

If Your Score is Moderate-to-High:

  1. Address any remaining vulnerabilities
  2. Focus on documentation and compliance evidence
  3. Define and publish your support period
  4. Set up automated dependency monitoring

What Comes Next?

Now that you understand your current compliance status, here are your next moves:

Address Vulnerabilities

Start with critical vulnerabilities identified in the report. Update dependencies and fix code issues. Each vulnerability you address improves your compliance score.

Read: Security Requirements

Create Documentation

Create the documentation required for CRA compliance: security policy, technical docs, user guidelines, and Declaration of Conformity. Use our templates (available with Pro plan) to streamline this.

View Pro Plan Features

Set Up Monitoring

Compliance is ongoing, not a one-time effort. Set up automated dependency monitoring so you're alerted to new vulnerabilities immediately.

See Ongoing Compliance Checklist

Automate SBOM Updates

Regenerate your SBOM with each release using our automated tools. This ensures your SBOM always matches your actual code and dependencies.

Read: SBOM FAQ

Plan Your Timeline

Review your compliance gaps and create a timeline for addressing them. See our detailed roadmap for planning compliance work by the September 2026 deadline.

Read: Getting Started Guide

Upgrade Your Plan

As your compliance work grows, upgrade to Pro or Enterprise plan for continuous monitoring, multiple products, priority support, and automated compliance features.

See All Plans

Pro Tips for Success

Tip 1: Analyze All Your Products

Don't just analyze one plugin. Scan all your products that are sold to EU customers. This gives you a complete picture of your compliance work.

Tip 2: Automate When Possible

Use automated tools for dependency scanning, SBOM generation, and vulnerability detection. Manual processes are error-prone and can't keep up with emerging vulnerabilities.

Tip 3: Prioritize Critical Issues

Focus first on critical vulnerabilities and high-impact gaps. You don't need to be perfect, but you do need to address serious security issues before the enforcement deadline.

Tip 4: Start Documentation Early

Creating documentation takes time. Start now, even if your code isn't fully remediated yet. Documentation is evidence of your compliance efforts.

Tip 5: Communicate with Your Team

Make sure your development team understands CRA requirements and what's expected from them. Security practices are everyone's responsibility.

Tip 6: Use the Compliance Checklist

Print out our Compliance Checklist and track your progress. Checking things off keeps you motivated and ensures you don't miss anything.

Quick Questions Answered

How long does analysis take?

Most plugins analyze in 30-60 seconds. Larger or more complex plugins may take up to 2-3 minutes.

Can I analyze multiple versions of my plugin?

Yes! Create separate analyses for each major version. This helps you understand how compliance improves over time.

What if my plugin has private dependencies?

Our analyzer works best with standard package managers (Composer, npm). For private packages, manually add them to your SBOM.

Can I share results with my team?

Yes! With Pro and Enterprise plans, you can add team members and share analysis results. Free plan is single-user.

How often should I re-analyze my plugins?

Re-analyze after major updates, dependency changes, or at least quarterly. This catches new vulnerabilities quickly.

Is my code private?

Yes. We analyze your code locally and never store your source code. Results are encrypted and only visible to you.

Ready to Get Started?

Sign up for free and analyze your first plugin in the next 5 minutes. No credit card required.

Start Free Analysis Read the Blog