Securing software supply chains with open source and automation
2025-10-01 , CyberSecurity

The CRA is already here, and will impact software development worldwide. Organizations need efficient compliance processes, supported by excellent free and open source tools to correctly identify and manage software components and secure software supply chains.

Join us for the latest updates on how to use free and open source tools, data, and standards for better, faster, more efficient, and automated software supply chain management, for public and private organizations of all sizes.


CRA is already here. And this European regulation impacts software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components, strengthen cybersecurity efforts, and secure software supply chains.

Open source tools, data, and standards offer an efficient and practical approach for automating and securing software supply chains. Tools like ScanCode for Software Composition Analysis paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. New EU-funded projects like CRAVEX and AI-Generated Code Search deliver performance improvements and advanced capabilities to improve the automation of compliance processes.

In this presentation, AboutCode lead maintainer Philippe Ombredanne will share the latest updates on how to use open source tools, data, and standards for better, faster, more efficient, and automated software supply chain management.

See also: AboutCode projects

Philippe Ombredanne is a FOSS hacker passionate about enabling easier and safer reuse of open source code. He is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode, DejaCode, PurlDB, Package-URL, and VulnerableCode. Philippe contributes to other open source projects, including the Linux kernel SPDX-ification, SPDX, ClearlyDefined, strace, ORT, and several Python tools.

This speaker also appears in: