Attempting to Launch Verimu in March and April

Why I built Verimu, what shipped this month, and what comes next for CRA compliance in the EU.

Posted on March 22, 2026

March was all about one product: verimu.

It has three connected parts:

I built this because I keep seeing the same pattern across teams in the EU, especially from my own medtech experience: everyone knows the Cyber Resilience Act is real, but many teams are still not operationally ready.

Why this product exists

Most teams do not fail compliance because they do not care. They fail because compliance work gets fragmented:

  • dependency inventory is manual or stale
  • CVE monitoring lives in multiple tools with no clear ownership
  • reporting workflows are discussed but not actually wired into engineering operations

The CRA turns this into an execution problem. If your software ships in Europe, you need a repeatable system, not a one-off spreadsheet.

What we shipped in February and March

1) npm package + CLI

We shipped the verimu npm package to make scanning easy inside existing pipelines.

Current capabilities include:

  • CycloneDX SBOM generation
  • CVE checks across major databases
  • support for multiple ecosystems (npm, NuGet, pip, Cargo, Maven, Go, Ruby)
  • CI-agnostic usage with examples for GitHub Actions, GitLab CI, and Bitbucket Pipelines

The goal is simple: one command in CI, and you always have fresh dependency evidence.

2) enterprise dashboard

At app.verimu.com, teams can manage projects, review dependencies/vulnerabilities, and handle team access in one place.

This closes a key gap: scanning is only useful if teams can operationalize the output.

3) the main website and docs

verimu.com now includes practical docs and onboarding flow so teams can go from zero setup to actionable scans quickly.

I also focused messaging around what teams actually need right now:

  • SBOM coverage that is current and auditable
  • vulnerability visibility tied to real dependencies
  • workflows that engineering and compliance can both understand

Built from real-world pressure

This was not a random idea from trend watching.

I have worked in regulated environments long enough to know what happens when requirements arrive before internal process maturity: engineers scramble, compliance teams escalate, and everyone loses time.

Verimu is my attempt to remove that scramble and make compliance implementation boring, predictable, and automatable.

What is next

The next milestones are straightforward:

  • harden and expand CI/CD automation paths
  • improve team-level alerting and reporting workflows
  • continue closing the gap between technical outputs (SBOM/CVE data) and compliance-ready artifacts

If this is your world and your team is still piecing things together manually, I would genuinely love to hear from you.

Thanks

Thanks for reading and for following along as I keep building.

-Chris

Previous Post:

Hi! I'm Chris Frewin, a full stack software engineer, entrepreneuer and educator!

Chris on Full Stack Craft's YouTube channel.

Ah... 😌 I still remember opening up my very first Bash terminal on Ubuntu... it was late summer, in Cornell's Engineering Quad... in short...

It was love
at first sight!

Ever since that first Ubuntu experience, I've been in love with writing software and I've learned an extensive variety of frameworks, databases, design patterns, and languages, including TypeScript, JavaScript, .NET, Python, React, Redux, ABAP, SAPUI5 UI5, C#, PHP7, Postgresql, Magento, and more. I love the challenge of building profitable SaaS products!

I'm also a full stack software educator. I cherish teaching what I've learned over the years, because I think software development is especially difficult these days, with all the new tools and frameworks that seem to come out daily.

With all my courses, I focus on both advanced and niche topics and in each course I always make considerations into the broader backdrop of the entire full stack software ecosystem. If such courses sound interesting to you, please check out the Full Stack Courses page. One final note: I don't want money to be the reason you can't learn from my courses, so if you can't afford a course for whatever reason, simply send me an email and I can get you the course for free.

I don't want anyone to be intimated by the noise of the software world - I too struggle and reach out from time to time for help and mentoring. To this end, I try to make my courses as clear as possible so you don't get lost or confused. I also avoid the theoretical - I offer real world examples far beyond the overused 'todo list' app example.

You can checkout more about my company, SaaS products, and site portfolio on my bio page.

I sincerely hope you enjoy the blog!

- Chris

Find more posts by tag:

ABAPAGIAIAlgorithmsApacheAPIAPIsApplicationsAuth0AutomationBashBitbucket PipelinesBitcoinBlazorBlog MetaBooksBootstrapBurnoutC#CareerCI/CDClaudeClean CRUD APIsClean React TypeScript HooksCloudCloud ArchitectureCode OrganizationCodevideoCompaniesCryptoDataData ChallengeDevelopmentDevOpsDockerEnumsEnvironmentExpoFfmpegFunFunctional ProgrammingGatsbyGenericsGithubGitHubGoGolangGoogle Cloud PlatformgRPCHackathonHacktoberfestIntegration TestsJavaScriptJestKestrelKubernetesLaTeXLearning SeriesLifeLLMsMacMachine LearningMagentoMarketsMCPMicroservicesMiscellaneous.NETNetlifyNGINXNLPNodeNpmObject Oriented ProgrammingObject-Relational MappingOpen SourceOpenUI5PackagePandocPostgresPostgreSQLProductsPuppeteerPythonRAGReactReact HookReact HooksReact NativeReduxRedux ToolkitReflectionSaaSSaasSAPSAPUI5SecurityServer Side RenderingServerlessShell ScriptShopifySingularitySlackSoftwareSoftware GraveyardSqliteStartupStripeSubstackSupabaseSustainabilitySystem DesignTampermonkeyTDDTestingTradingTypeScriptTypeScript GenericsUI/UXUnit TestsUtilsVMWebhookWebpackWebSocketsWindowsWPFWritingYearly GoalsZapier

-~{/* */}~-