General Arguments
The following arguments are available on all commands:| Argument | Description |
|---|---|
--version, -V | Output version number |
--help, -h | Display help for command |
scan
Scans a folder or file against the SCANOSS API to identify open-source components, licences, vulnerabilities, and dependencies. Results are written to STDOUT by default.| Argument | Description |
|---|---|
--wfp, -w | Scan a pre-generated .wfp fingerprint file instead of a folder |
--hpsm, -H | Enable High Precision Snippet Matching |
--extract, -x | Extract compressed files before scanning into a <zip_name>-unzipped folder |
--extract-overwrite | Overwrite the decompressed folder if it already exists |
--extract-deep <number> | Set the recursion depth for decompression |
--extract-suffix <suffix> | Set a custom suffix for the decompressed folder name |
--concurrency <number>, -c | Number of concurrent connections to use while scanning (default: 10) |
--ignore <file>, -n | Ignore components listed in an SBOM file |
--output <filename>, -o | Write results to a file (default: STDOUT) |
--format <format>, -f | Output format: json, html (default: json) |
--flags <flags>, -F | Scanning engine flags: 1 disable snippets, 2 enable snippet IDs, 4 disable dependencies, 8 disable licences, 16 disable copyrights, 32 disable vulnerabilities, 64 disable quality, 128 disable cryptography, 256 disable best match, 512 report identified files |
--min-snippet-hits <number> | Minimum snippet hits required for a match (0 defers to server configuration) |
--min-snippet-lines <number> | Minimum snippet lines required for a match (0 defers to server configuration) |
--ranking <value> | Enable or disable result ranking: true or false (default: server configuration) |
--ranking-threshold <number> | Ranking threshold value from -1 to 10 (-1 defers to server configuration) |
--honour-file-exts <value> | Honour file extensions during scanning: true or false (default: server configuration) |
--post-size <postsize>, -P | Maximum kilobytes per API request (default: 32) |
--max-retry <retry>, -R | Maximum number of retries for each POST request (default: 5) |
--timeout <timeout>, -M | API communication timeout in seconds (default: 120) |
--obfuscate | Obfuscate file paths in fingerprints before sending |
--dependencies, -D | Include dependency scanning alongside file scanning |
--cryptography, -C | Include cryptography detection alongside file scanning |
--algorithm-rules <path>, -ar | Path to a custom cryptographic algorithm rules file (JSON) |
--library-rules <path>, -lr | Path to a custom cryptographic library rules file (JSON) |
--apiurl <url> | SCANOSS API URL (default: https://api.osskb.org/scan/direct) |
--api2url <url> | SCANOSS gRPC API 2.0 URL (default: api.scanoss.com:443) |
--key <key>, -k | SCANOSS API key token (not required for the default OSSKB URL) |
--ignore-cert-errors | Ignore SSL certificate errors (use only in trusted environments) |
--ca-cert <cert> | Path to a custom CA certificate PEM file for SSL/TLS connections |
--proxy <url> | Proxy URL. Also reads from the HTTPS_PROXY and grpc_proxy environment variables |
--grpc_proxy <url> | gRPC proxy URL |
--verbose, -v | Enable verbose output during scanning |
--settings <filename>, -st | Settings file to use for scanning (default: scanoss.json) |
--skip-settings-file, -stf | Skip the default scanoss.json settings file |
--debug | Enable debug output |
When--cryptographyis used without an API key (--key), only local cryptography detection is performed. Component-level cryptography scanning via the SCANOSS API requires an API key.
The--dependenciesflag is not applicable when scanning a pre-generated.wfpfingerprint file, as dependency manifest files are not captured in fingerprint hashes.
dep
Scans a folder exclusively for dependency manifest files without performing open-source code identification.| Argument | Description |
|---|---|
--output <filename>, -o | Write results to a file (default: STDOUT) |
--apiurl <url> | SCANOSS API URL (default: https://api.osskb.org/scan/direct) |
--key <key>, -k | SCANOSS API key token (not required for the default OSSKB URL) |
--ignore-cert-errors | Ignore SSL certificate errors (use only in trusted environments) |
--ca-cert <cert> | Path to a custom CA certificate PEM file for SSL/TLS connections |
--proxy <url> | Proxy URL. Also reads from the HTTPS_PROXY environment variable |
--debug | Enable debug output |
| Ecosystem | Files |
|---|---|
| Python | requirements.txt, pip_requirements_lock.txt, *-requirements.txt, requirements-*.txt, dev-requirements.txt, pyproject.toml |
| Java | pom.xml |
| JavaScript | package.json, package-lock.json (v1, v2, v3), yarn.lock, pnpm-lock.yaml (v5, v6, v9+) |
| Ruby | Gemfile, Gemfile.lock |
| Golang | go.mod, go.sum |
| .NET / NuGet | *.csproj, packages.config |
| Gradle | build.gradle, build.gradle.kts, libs.versions.toml |
wfp
Generates WFP (Winnowing FingerPrint) hashes for a folder or file without performing any API calls or analysis. The resulting output can be saved to a file and passed toscan at
a later time using the --wfp flag.
| Argument | Description |
|---|---|
--hpsm, -H | Enable High Precision Snippet Matching |
--obfuscate | Obfuscate file paths in fingerprints |
--output <filename>, -o | Write fingerprints to a file (default: STDOUT) |
--block-size <size>, -p | Maximum size in KB for each fingerprint block (default: 64) |
crypto
Scans a folder or file for local cryptographic algorithm and library detection without performing open-source identification. Custom detection rules can be provided via JSON files.| Argument | Description |
|---|---|
--algorithm-rules <path>, -ar | Path to a custom cryptographic algorithm rules file (JSON) |
--library-rules <path>, -lr | Path to a custom cryptographic library rules file (JSON) |
--output <filename>, -o | Write results to a file (default: STDOUT) |
--threads <threads>, -T | Number of threads to use while scanning (default: 5) |
components
Queries the SCANOSS Knowledge Base for component intelligence. Supports searching, version lookups, statistics, and component information retrieval.<action> argument must be one of: search, versions, stats, info.
| Argument | Description |
|---|---|
--output <filename>, -o | Write results to a file (default: STDOUT) |
--apiurl <url> | SCANOSS API URL (default: https://api.osskb.org) |
--key <key>, -k | SCANOSS API key token |
--ignore-cert-errors | Ignore SSL certificate errors (use only in trusted environments) |
--ca-cert <cert> | Path to a custom CA certificate PEM file for SSL/TLS connections |
--proxy <url> | Proxy URL |
--grpc | Use gRPC instead of HTTP for API calls |
--debug | Enable debug output |
search
| Argument | Description |
|---|---|
--query <query>, -q | Search query string |
--vendor <vendor> | Filter by vendor name |
--component <component> | Filter by component name |
--package <package> | Filter by package type (e.g. npm, maven) |
--limit <limit> | Maximum number of results to return |
--offset <offset> | Result offset for pagination |
versions
| Argument | Description |
|---|---|
--purl <purl> | Package URL (PURL) to look up |
stats
| Argument | Description |
|---|---|
--purls <purls> | Comma-separated list of PURLs for statistics |
--purls-file <file> | File containing PURLs, one per line |
info
| Argument | Description |
|---|---|
--name <name> | Component name to look up |
--include-versions | Include version information in the response |
--include-stats | Include statistics in the response |