Skip to main content

CLI Overview

Running scanoss-js without arguments lists all available subcommands: 
Usage: scanoss-js [options] [command]

The SCANOSS JS package provides a simple, easy to consume module for interacting with SCANOSS APIs/Engine.

Options:
  -V, --version            output the version number
  -h, --help               display help for command

Commands:
  scan [options] <source>    Scan a folder/file
  dep [options] <source>     Scan for dependencies
  wfp [options] <source>     Generates fingerprints for a folder/file
  crypto [options] <source>  Scan local cryptography
  help [command]             display help for command

Subcommands

scan

Scans a folder or file against the SCANOSS API and Engine. This is the primary command for open source identification. The following capabilities are available when invoked with the appropriate flags:
  • Standard scanning — identify open source components in a source folder or file
  • API token scanning — use an API token and custom API URL for enhanced scanning capabilities
  • Dependency detection — include dependency manifest scanning alongside code scanning
  • Cryptography detection — detect cryptographic algorithms and libraries. When an API token is provided, component-level cryptography scanning is performed via the SCANOSS API; otherwise, only local cryptography detection is performed

dep

Scans a folder exclusively for dependency manifest files without performing code identification. This command parses dependency manifest files from your project to extract declared dependencies. The dependency manifest files recognised during the scanning process are:
EcosystemFiles
Pythonrequirements.txt, pip_requirements_lock.txt, *-requirements.txt, requirements-*.txt, pyproject.toml
Javapom.xml
JavaScriptpackage.json, package-lock.json, yarn.lock, pnpm-lock.yaml
RubyGemfile, Gemfile.lock
Golanggo.mod, go.sum
.NET / NuGet*.csproj, packages.config
Gradlebuild.gradle, build.gradle.kts, libs.versions.toml
For a complete and up-to-date list of supported dependency manifest files, see the dependency scanner source.

wfp

Generates WFP (Winnowing FingerPrint) hashes for a folder or file without performing any analysis or API calls. The resulting .wfp file can be stored and passed as input to scan at a later time, using the appropriate source argument. This is useful for separating the fingerprinting step from the scanning step — for example, in batch or deferred workflows.
Note: The --dependencies flag is not applicable when scanning a previously generated .wfp fingerprint file, as dependency manifest files are not captured by the fingerprint hashes.

crypto

Scans a folder or file exclusively for local cryptography detection — identifying cryptographic algorithms and libraries — without performing open source identification. Custom detection rules for algorithms and libraries can be provided via JSON rule files.
Note: Custom rules for algorithms and libraries are applied to local cryptography detection regardless of which other flags are provided.