Build-accurate SBOMs for C/C++ — and the CRA paperwork to match. On-prem. Your code never leaves your machines.
C/C++ builds don't leave a lockfile behind. Most scanners read manifests and hope. Regulators won't accept hope.
There's no package-lock for a Makefile. Manifest scanners guess — and miss vendored code, static libraries and forked SDKs that end up in the binary anyway.
From 11 Sep 2026 you must report to ENISA within 24 hours whether an actively exploited CVE affects your products — including products you've already shipped.
Non-compliance under the CRA carries fines up to €15 million or 2.5% of worldwide annual turnover — whichever is higher.
Three commands. One SBOM per product, from what your build actually did — not what a manifest claims.
observeRecords what your compiler and linker actually did — every object, archive and static link that reaches the binary.
scanMerges package manifests, vendored-code detection and binary analysis into one CycloneDX/SPDX SBOM — all languages, one SBOM per product.
monitorWatches OSV, NVD and CISA KEV. When an exploited CVE hits a shipped component, it starts your 24-hour clock with a pre-filled report draft.
See which declared components never made it into the binary. Dead dependencies inflate your attack surface on paper and waste triage time. Trim shows what's actually linked, so you report on what actually ships.
Free scanners are useful. They also stop at what the manifest declares. Here's the difference on a real C/C++ repo.
| Capability | Generic free scanner | bomwerk |
|---|---|---|
| Declared vs. build-observed components | declared only | build-observed |
| Vendored / static-linked code detection | ✗ | ✓ |
| Unused-component (dead dependency) report | ✗ | ✓ |
| CRA report drafts, pre-filled | ✗ | ✓ |
| On-prem by default | varies | ✓ always |
Point us at one repository. We'll run bomwerk against it and walk you through what it found — no obligation.
Send us one repo link — or just a note about your build. We'll reply within one working day.
Request free scanWrites to info@bomwerk.com — or reach us at hello@bomwerk.com.
What you get back:
The scan runs on hardware you control, or on a repo you share deliberately. Nothing is retained.
The scanner is Apache-2.0. Read it, fork it, run it in your pipeline.
Signed, reproducible builds. Verify the binary before you trust it.
No telemetry by default. It doesn't phone home; you turn on what you want.
Conforms to CycloneDX 1.6 / SPDX 3.0, with BSI TR-03183 fields.
npm, PyPI, Cargo, Go modules, Maven and more — merged into one SBOM per product.