Introduction & Overview

What is SCANOSS?

SCANOSS is an open-source software risk intelligence platform that analyses source code to identify declared and undeclared open-source usage. It generates accurate, standards-based SBOMs and provides structured insight into software composition, licensing, and security through a command-line interface designed for developer workflows. This page explains what SCANOSS does, how it works at a high level, and the architectural principles behind its security, data handling, and open-source design.

What SCANOSS Does

SCANOSS identifies open-source code used in software projects by analysing source code directly. This includes:

Declared dependencies defined in manifests
Undeclared usage such as embedded components, copied files, and reused code fragments.

By working from source code rather than dependency declarations alone, SCANOSS provides a more comprehensive and verifiable view of software composition. The results are translated into software risk intelligence that describes not just what open-source code is present, but also the associated licensing, security, and compliance metadata.

How SCANOSS Works

SCANOSS operates by combining local scanning with reference data and integrated tooling:

Fingerprinting: A CLI tool examines source code locally and generates fingerprints based on file content.
Matching: Those fingerprints are compared against reference data from a large open-source knowledge base maintained by SCANOSS.
Output: Identified results are assembled into standards-based SBOMs (e.g. SPDX, CycloneDX) and enriched with metadata that supports risk analysis.

The platform’s interfaces — including the Python CLI, REST API, and graphical workbench — let developers and tools consume this software risk intelligence where they need it.

Open Source in AI-Generated Code

⌘I

Documentation

Links

What is SCANOSS?

What SCANOSS Does

How SCANOSS Works

Documentation

Links

​What SCANOSS Does

​How SCANOSS Works

What SCANOSS Does

How SCANOSS Works