Scanner

One command. A complete SBOM.

The first SBOM scanner for machines. It adapts to whatever you run — point it at your project and get a CRA-ready bill of materials. B&R, Siemens, Rockwell and 40+ more vendors.

complioty — scan
$ complioty scan ./MyMachineProject
Plugin: B&R Automation Studio (br-automation)
Project: ./MyMachineProject
✓ Config1 — 42 components, 3 need review
→ Config1_sbom.json
Done.

Features

A software bill of materials for every machine — with no manual upkeep.

Automatic vendor detection

Point at a project folder — the scanner figures out whether it's B&R, Siemens, Rockwell or another vendor on its own.

40+ vendor plugins

From the major PLC market leaders to EU machine-building specialists. And if yours isn't there? We build the plugin for you.

CycloneDX & SPDX

Standards-compliant SBOMs in CycloneDX 1.5 and SPDX 2.3 — compatible with your existing toolchain.

CRA-ready

Built for the EU Cyber Resilience Act. The generated bill of materials is the evidence you need.

Lean binary

No runtime dependencies, runs offline right on the engineering workstation — even with no internet on site.

Straight into Complioty

The finished SBOM lands seamlessly in the Complioty platform — CVE monitoring takes over from there.

40+ supported vendors

From B&R to Beckhoff — and the scanner adapts to whatever you run.

Siemens
B&R
Rockwell
Beckhoff
ABB
Schneider Electric
Mitsubishi
Bosch Rexroth
WAGO
ifm
Pilz
Lenze
Turck
Panasonic
Keyence
Yokogawa
Delta
HIMA
Unitronics
Horner
CODESYS
OpenPLC
+

Missing a vendor? We'll build the plugin. And if you want, we'll customize the scanner just for you — tailored to your machines, tools and processes.

How the scanner works

1

Request the scanner

A short onboarding gives you the scanner, tailored to your engineering environment.

2

Point it at your machine project

The scanner reads the project directory — right on the machine where the programming happens.

3

Vendor detected automatically

The scanner picks the right vendor plugin from the project files — no configuration.

4

SBOM is generated

One CycloneDX or SPDX file per configuration; uncertain components are flagged for review.

5

Monitor in Complioty

The bill of materials flows into the platform — CVE monitoring of your components starts immediately.

Cyber Resilience Act

September 11, 2026.

From then on, product security is a legal obligation. No evidence, no CE marking.

73
Days
:
09
Hrs
:
03
Min
:
25
Sec

Make product security your process.

Start with what you have. In minutes, not months.