> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # Commands & Arguments > Complete reference for all SCANOSS-PY CLI commands, subcommands and their arguments. ## General Arguments The following arguments are available on all commands: | Argument | Description | | --------------- | ------------------------------------------------------------------- | | `--debug`, `-d` | Enable debug output | | `--trace`, `-t` | Enable trace output, including full API request and response bodies | | `--quiet`, `-q` | Suppress all non-error output | ## scan **Aliases:** `sc` Fingerprints a directory or file and queries the SCANOSS Knowledge Base to identify open-source components, licences, vulnerabilities, and dependencies. Results are written to STDOUT by default. ```bash theme={null} scanoss-py scan [OPTIONS] ``` | Argument | Description | | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------- | | `--wfp `, `-w ` | Scan a pre-generated `.wfp` fingerprint file instead of a directory | | `--dep `, `-p ` | Scan a dependency file instead of a directory | | `--stdin `, `-s ` | Scan file contents from STDIN, using the given filename for identification | | `--files [...]`, `-e` | Scan specific files | | `--identify `, `-i ` | Identify components listed in an SBOM file *(API key required)* | | `--ignore `, `-n ` | Exclude components listed in an SBOM file from results *(API key required)* | | `--output `, `-o ` | Write results to a file (default: STDOUT) | | `--format `, `-f ` | Output format: `plain`, `cyclonedx`, `spdxlite`, `csv`, `raw` (default: `plain`) | | `--flags `, `-F ` | Send custom scanning flags to the API | | `--threads `, `-T ` | Number of concurrent upload threads (default: `5`, max: `30`) | | `--skip-snippets`, `-S` | Skip snippet fingerprint generation | | `--post-size `, `-P ` | Maximum kilobytes per API request (default: `32`) | | `--timeout `, `-M ` | API request timeout in seconds (default: `180`) | | `--retry `, `-R ` | Number of retries on API failure (default: `5`; use `0` to fail immediately) | | `--hpsm`, `-H` | Enable High Precision Snippet Matching | | `--min-snippet-hits ` | Minimum snippet hits required for a match (`0` defers to server configuration) | | `--min-snippet-lines ` | Minimum snippet lines required for a match (`0` defers to server configuration) | | `--ranking ` | Enable or disable result ranking: `true`, `false`, or unset (default: unset, defers to server) | | `--ranking-threshold ` | Ranking threshold from `-1` to `10` (default: `-1`, defers to server configuration) | | `--honour-file-exts ` | Honour file extensions during matching: `true`, `false`, or unset (default: unset) | | `--skip-headers`, `-skh` | Skip copyright notices, import statements, and comments at the start of each file | | `--skip-headers-limit `, `-shl ` | Maximum number of lines to skip when using `--skip-headers` (default: `0`) | | `--wfp-output ` | Save computed fingerprints to a file during scanning | | `--all-folders` | Include all folders (including those skipped by default) | | `--all-extensions` | Include all file extensions (including those skipped by default) | | `--all-hidden` | Include hidden files and folders | | `--skip-extension `, `-E ` | Exclude files with this extension (can be repeated) | | `--skip-folder `, `-O ` | Exclude this folder (can be repeated) | | `--skip-size `, `-Z ` | Exclude files smaller than the specified size in bytes (default: `0`) | | `--skip-md5 `, `-5 ` | Exclude files whose MD5 matches this hash (can be repeated) | | `--strip-hpsm `, `-G ` | Strip a specific HPSM code fragment before scanning (can be repeated) | | `--strip-snippet `, `-N ` | Strip a specific snippet ID before scanning (can be repeated) | | `--obfuscate` | Obfuscate file paths in fingerprints before sending | | `--dependencies`, `-D` | Include dependency scanning alongside file scanning | | `--dependencies-only` | Run dependency scanning only, skipping file scanning | | `--dep-scope `, `-ds ` | Filter dependencies by scope: `dev` or `prod` | | `--dep-scope-inc `, `-dsi ` | Include only dependencies matching this scope | | `--dep-scope-exc `, `-dse ` | Exclude dependencies matching this scope | | `--sc-command ` | Path or command name for Scancode (default: `scancode`) | | `--sc-timeout ` | Timeout in seconds for Scancode to complete (default: `600`) | | `--settings `, `-st ` | Settings file path (default: `scanoss.json`) | | `--skip-settings-file`, `-stf` | Ignore the default `scanoss.json` settings file | | `--apiurl ` | SCANOSS API base URL (default: `https://api.osskb.org`) | | `--key `, `-k ` | SCANOSS API key (not required for the default API URL) | | `--proxy ` | Proxy URL. Also reads from the `HTTPS_PROXY` environment variable | | `--pac ` | Proxy Auto-Config file, HTTP URL, or `auto` for system discovery | | `--ca-cert ` | Custom CA certificate PEM file. Also reads from `REQUESTS_CA_BUNDLE` or `GRPC_DEFAULT_SSL_ROOTS_FILE_PATH` | | `--header `, `-hdr ` | Add a custom HTTP request header (can be repeated) | | `--ignore-cert-errors` | Disable SSL certificate verification *(use only in trusted environments)* | > `--dependencies` and `--dependencies-only` require [`scancode-toolkit`](installation#dependency-scanning) to be installed. ## fingerprint **Aliases:** `fp`, `wfp` Computes Winnowing fingerprints for a directory or file and writes them to a `.wfp` file or STDOUT. This step does **not** query the SCANOSS Knowledge Base, use `scan` for a full lookup. ```bash theme={null} scanoss-py fingerprint [OPTIONS] ``` | Argument | Description | | ------------------------------------------ | --------------------------------------------------------------------------------- | | `--stdin `, `-s ` | Read file contents from STDIN, using the given filename for identification | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--obfuscate` | Obfuscate file paths in fingerprints | | `--hpsm`, `-H` | Enable High Precision Snippet Matching algorithm | | `--skip-snippets`, `-S` | Skip snippet fingerprint generation | | `--skip-headers`, `-skh` | Skip copyright notices, import statements, and comments at the start of each file | | `--skip-headers-limit `, `-shl ` | Maximum number of lines to skip when using `--skip-headers` (default: `0`) | | `--all-extensions` | Include all file extensions | | `--all-folders` | Include all folders | | `--all-hidden` | Include hidden files and folders | | `--skip-extension `, `-E ` | Exclude files with this extension (can be repeated) | | `--skip-folder `, `-O ` | Exclude this folder (can be repeated) | | `--skip-size `, `-Z ` | Exclude files smaller than the specified size in bytes (default: `0`) | | `--skip-md5 `, `-5 ` | Exclude files whose MD5 matches this hash (can be repeated) | | `--strip-hpsm `, `-G ` | Strip a specific HPSM code fragment (can be repeated) | | `--strip-snippet `, `-N ` | Strip a specific snippet ID (can be repeated) | | `--settings `, `-st ` | Settings file path (default: `scanoss.json`) | | `--skip-settings-file`, `-stf` | Ignore the default `scanoss.json` settings file | *** ## dependencies **Aliases:** `dp`, `dep` Scans source code for declared dependencies without performing a Knowledge Base lookup. ```bash theme={null} scanoss-py dependencies [OPTIONS] ``` > Requires [`scancode-toolkit`](installation#dependency-scanning). | Argument | Description | | --------------------------------- | ------------------------------------------------------------------------- | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--container ` | Analyse dependencies from a Docker container image instead of a directory | | `--sc-command ` | Path or command name for Scancode (default: `scancode`) | | `--sc-timeout ` | Timeout in seconds for Scancode to complete (default: `600`) | | `--syft-command ` | Path or command name for Syft (default: `syft`) | | `--syft-timeout ` | Timeout in seconds for Syft to complete (default: `600`) | | `--settings `, `-st ` | Settings file path (default: `scanoss.json`) | | `--skip-settings-file`, `-stf` | Ignore the default `scanoss.json` settings file | ## file\_count **Aliases:** `fc` Walks the source tree and produces a summary of file types found. ```bash theme={null} scanoss-py file_count [OPTIONS] ``` | Argument | Description | | ------------------------------ | ------------------------------------ | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--all-hidden` | Include hidden files and directories | ## convert **Aliases:** `cv`, `cnv`, `cvrt` Converts a SCANOSS results file between supported output formats without re-scanning. ```bash theme={null} scanoss-py convert -i --format -o ``` | Argument | Description | | ---------------------------------- | -------------------------------------------------------------------------------------- | | `--input `, `-i ` | Input results file | | `--input-format ` | Input file format (default: `plain`) | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `cyclonedx`, `spdxlite`, `csv`, `glc-codequality` (default: `spdxlite`) | ## folder-scan **Aliases:** `fs` Scans a directory using folder-level hashing to identify components. Produces broader component matches than file-level scanning and is well-suited for detecting vendored or copied directories. ```bash theme={null} scanoss-py folder-scan [OPTIONS] ``` | Argument | Description | | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `json`, `cyclonedx`, `raw` (default: `json`) | | `--timeout `, `-M ` | API request timeout in seconds (default: `600`) | | `--rank-threshold ` | Only return results at or below this rank (lower rank = higher quality match; e.g. `3` returns ranks 1, 2, and 3) | | `--depth ` | Directory traversal depth limit (default: `2`) | | `--recursive-threshold ` | Score threshold for recursive scanning (default: `0.0`) | | `--min-accepted-score ` | Minimum accepted match score (default: `0.0`) | | `--settings `, `-st ` | Settings file path (default: `scanoss.json`) | | `--skip-settings-file`, `-stf` | Ignore the default `scanoss.json` settings file | | `--key `, `-k ` | SCANOSS API key (not required for the default OSSKB URL) | | `--proxy ` | Proxy URL | | `--pac ` | Proxy Auto-Config file, HTTP URL, or `auto` | | `--ca-cert ` | Custom CA certificate PEM file | | `--header `, `-hdr ` | Add a custom HTTP request header (can be repeated) | | `--ignore-cert-errors` | Disable SSL certificate verification *(use only in trusted environments)* | ## folder-hash **Aliases:** `fh` Generates cryptographic hashes for all files in a directory tree and writes them to a JSON file or STDOUT. Use this to pre-compute folder hashes before running `folder-scan`. ```bash theme={null} scanoss-py folder-hash [OPTIONS] ``` | Argument | Description | | ---------------------------------- | ----------------------------------------------- | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `json` (default: `json`) | | `--depth ` | Directory traversal depth limit (default: `2`) | | `--settings `, `-st ` | Settings file path (default: `scanoss.json`) | | `--skip-settings-file`, `-stf` | Ignore the default `scanoss.json` settings file | ## container-scan **Aliases:** `cs` Pulls a Docker container image and scans its layers for open-source dependencies. Requires Docker to be installed and running. ```bash theme={null} scanoss-py container-scan -i [OPTIONS] ``` | Argument | Description | | ------------------------------------------ | -------------------------------------------------------------------------------- | | `--image `, `-i ` | Docker image name and tag to scan *(required)* | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `plain`, `cyclonedx`, `spdxlite`, `csv`, `raw` (default: `plain`) | | `--timeout `, `-M ` | API request timeout in seconds (default: `180`) | | `--retry `, `-R ` | Number of retries on API failure (default: `5`; use `0` to fail immediately) | | `--apiurl ` | SCANOSS API base URL (default: `https://api.osskb.org`) | | `--key `, `-k ` | SCANOSS API key (not required for the default OSSKB URL) | | `--proxy ` | Proxy URL | | `--pac ` | Proxy Auto-Config file, HTTP URL, or `auto` for system discovery | | `--ca-cert ` | Custom CA certificate PEM file | | `--header `, `-hdr ` | Add a custom HTTP request header (can be repeated) | | `--ignore-cert-errors` | Disable SSL certificate verification *(use only in trusted environments)* | | `--syft-command ` | Path or command name for Syft (default: `syft`) | | `--syft-timeout ` | Timeout in seconds for Syft to complete (default: `600`) | ## crypto **Aliases:** `cr` Retrieves cryptographic information for components identified by PURL. Requires a SCANOSS API key. ```bash theme={null} scanoss-py crypto [OPTIONS] ``` ### Subcommands #### algorithms **Aliases:** `alg` Returns the cryptographic algorithms used by the specified component versions. ```bash theme={null} scanoss-py crypto algorithms --purl [OPTIONS] ``` | Argument | Description | | -------------- | --------------------------------------------------------------------------------------------- | | `--with-range` | Include all versions within the specified version range that contain cryptographic algorithms | #### hints Returns encryption hints for the specified component versions. ```bash theme={null} scanoss-py crypto hints --purl [OPTIONS] ``` | Argument | Description | | -------------- | ------------------------------------------------------------------------------------- | | `--with-range` | Include all versions within the specified version range that contain encryption hints | #### versions-in-range **Aliases:** `vr` Given a list of PURLs with version ranges, returns the subset of versions that do or do not contain cryptographic algorithms. ```bash theme={null} scanoss-py crypto versions-in-range --purl [OPTIONS] ``` ### Common Arguments The following arguments apply to all `crypto` subcommands: | Argument | Description | | ------------------------------------------ | ------------------------------------------------------------------------- | | `--purl `, `-p ` | Package URL (PURL) to query. Can be specified multiple times | | `--input `, `-i ` | Input file containing a list of PURLs | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--timeout `, `-M ` | API request timeout in seconds (default: `600`) | | `--key `, `-k ` | SCANOSS API key | | `--proxy ` | Proxy URL | | `--pac ` | Proxy Auto-Config file, HTTP URL, or `auto` for system discovery | | `--ca-cert ` | Custom CA certificate PEM file | | `--header `, `-hdr ` | Add a custom HTTP request header (can be repeated) | | `--ignore-cert-errors` | Disable SSL certificate verification *(use only in trusted environments)* | ## component **Aliases:** `comp` Queries the SCANOSS Knowledge Base for metadata about specific components identified by PURL. Requires a SCANOSS API key. ```bash theme={null} scanoss-py component [OPTIONS] ``` ### Subcommands #### vulns Returns known vulnerabilities for the specified component versions. ```bash theme={null} scanoss-py component vulns --purl [OPTIONS] ``` #### licenses Returns the licences associated with the specified component versions. ```bash theme={null} scanoss-py component licenses --purl [OPTIONS] ``` #### semgrep Returns Semgrep static analysis results for the specified component versions. ```bash theme={null} scanoss-py component semgrep --purl [OPTIONS] ``` #### versions Returns the available versions for the specified component. ```bash theme={null} scanoss-py component versions --purl [OPTIONS] ``` | Argument | Description | | ----------------------- | ------------------------------------ | | `--limit `, `-l ` | Maximum number of versions to return | #### search Searches the SCANOSS Knowledge Base for components matching a query. ```bash theme={null} scanoss-py component search [OPTIONS] ``` | Argument | Description | | ------------------------ | ----------------------------------- | | `--search `, `-s` | Generic search string | | `--vendor `, `-v` | Filter by vendor name | | `--comp `, `-c` | Filter by component name | | `--package `, `-p` | Filter by package name | | `--limit `, `-l ` | Maximum number of results to return | | `--offset `, `-f ` | Result offset for pagination | #### provenance **Aliases:** `prov` Returns contributor provenance information for the specified component versions. ```bash theme={null} scanoss-py component provenance --purl [OPTIONS] ``` | Argument | Description | | ---------- | ------------------------------------------------- | | `--origin` | Retrieve provenance using contributor origin data | #### status **Aliases:** `sts`, `st` Returns the development lifecycle status for one or more components. Provides information including component status, repository status, first and last indexed dates, and version-specific details. ```bash theme={null} scanoss-py component status --purl [OPTIONS] ``` ### Common Arguments The following arguments apply to all `component` subcommands: | Argument | Description | | ------------------------------------------ | ------------------------------------------------------------------------- | | `--purl `, `-p ` | Package URL (PURL) to query. Can be specified multiple times | | `--input `, `-i ` | Input file containing a list of PURLs | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--timeout `, `-M ` | API request timeout in seconds (default: `600`) | | `--apiurl ` | SCANOSS API base URL (default: `https://api.osskb.org`) | | `--key `, `-k ` | SCANOSS API key | | `--proxy ` | Proxy URL | | `--pac ` | Proxy Auto-Config file, HTTP URL, or `auto` for system discovery | | `--ca-cert ` | Custom CA certificate PEM file | | `--header `, `-hdr ` | Add a custom HTTP request header (can be repeated) | | `--ignore-cert-errors` | Disable SSL certificate verification *(use only in trusted environments)* | ## results Reads a SCANOSS results file and filters or formats its contents. ```bash theme={null} scanoss-py results [OPTIONS] ``` | Argument | Description | | ----------------------------------- | ------------------------------------------------ | | `--match-type `, `-mt ` | Filter results by match type | | `--status `, `-s ` | Filter results by status | | `--has-pending` | Return only files that have pending declarations | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `json`, `plain` (default: `json`) | ## inspect **Aliases:** `ins` Policy-checking commands that analyse a SCANOSS results file for compliance issues such as copyleft licences, undeclared components, and more. ```bash theme={null} scanoss-py inspect [OPTIONS] ``` ### Subcommands #### copyleft Identifies files or components with copyleft licences in a results file. ```bash theme={null} scanoss-py inspect copyleft --input [OPTIONS] ``` | Argument | Description | | ------------------------------------ | --------------------------------------------------------------------------- | | `--include ` | Additional licence identifiers to flag as copyleft (comma-separated) | | `--exclude ` | Licence identifiers to exclude from copyleft checks (comma-separated) | | `--explicit ` | Exact list of licences to use, replacing the built-in set (comma-separated) | | `--license-sources `, `-ls` | Filter which licence detection sources to consider | | `--status `, `-s ` | Write a pass/fail status summary to this file | #### undeclared Identifies components present in scan results that are not declared in the SBOM settings. ```bash theme={null} scanoss-py inspect undeclared --input [OPTIONS] ``` | Argument | Description | | ------------------------------ | ------------------------------------------------------------------------------- | | `--sbom-format ` | SBOM format to use for comparison: `legacy` or `settings` (default: `settings`) | | `--status `, `-s ` | Write a pass/fail status summary to this file | #### license-summary Generates a licence summary from a results file. ```bash theme={null} scanoss-py inspect license-summary --input [OPTIONS] ``` | Argument | Description | | ----------------------- | --------------------------------------------------------------------------- | | `--include ` | Additional licence identifiers to include (comma-separated) | | `--exclude ` | Licence identifiers to exclude (comma-separated) | | `--explicit ` | Exact list of licences to use, replacing the built-in set (comma-separated) | #### component-summary Generates a component summary from a results file. ```bash theme={null} scanoss-py inspect component-summary --input [OPTIONS] ``` #### dependency-track project-violations Retrieves policy violations for a project from a Dependency-Track server. ```bash theme={null} scanoss-py inspect dependency-track project-violations [OPTIONS] ``` | Argument | Description | | --------------------------------------- | ----------------------------------------------- | | `--url ` | Dependency-Track server URL *(required)* | | `--apikey `, `-k ` | Dependency-Track API key *(required)* | | `--project-id `, `-pid ` | Project UUID | | `--project-name `, `-pn ` | Project name | | `--project-version `, `-pv ` | Project version | | `--upload-token `, `-ut ` | Upload token returned by a previous BOM upload | | `--timeout `, `-M ` | API request timeout in seconds (default: `300`) | | `--status ` | Write a pass/fail status summary to this file | #### gitlab matches Generates a GitLab-compatible match summary from a results file. ```bash theme={null} scanoss-py inspect gitlab matches --input --line-range-prefix [OPTIONS] ``` | Argument | Description | | ----------------------------------------- | ----------------------------------------- | | `--line-range-prefix `, `-lpr ` | GitLab repository URL prefix *(required)* | ### Common Arguments The following arguments apply to all `inspect` subcommands: | Argument | Description | | ---------------------------------- | -------------------------------------------------------- | | `--input `, `-i ` | SCANOSS results file to analyse *(required)* | | `--output `, `-o ` | Output file name (default: STDOUT) | | `--format `, `-f ` | Output format: `json`, `md`, `jira_md` (default: `json`) | ## export Exports SCANOSS results to external platforms. ```bash theme={null} scanoss-py export [OPTIONS] ``` ### Subcommands #### dt Exports a CycloneDX SBOM to a Dependency-Track server. ```bash theme={null} scanoss-py export dt --input --url --apikey [OPTIONS] ``` | Argument | Description | | -------------------------------------- | ------------------------------------------ | | `--input `, `-i ` | CycloneDX SBOM file to upload *(required)* | | `--url ` | Dependency-Track server URL *(required)* | | `--apikey `, `-k ` | Dependency-Track API key *(required)* | | `--project-id `, `-pid ` | Project UUID | | `--project-name `, `-pn ` | Project name | | `--project-version `, `-pv ` | Project version | | `--output `, `-o ` | Output file name (default: STDOUT) | ## delta **Aliases:** `dl` Copies files identified in a diff report into a delta folder for further processing. ```bash theme={null} scanoss-py delta [OPTIONS] ``` ### Subcommands #### copy Copies changed files into a target delta folder based on a diff input file. ```bash theme={null} scanoss-py delta copy --input [OPTIONS] ``` | Argument | Description | | ------------------------------- | ------------------------------------------------ | | `--input `, `-i ` | Diff file listing changed files *(required)* | | `--folder `, `-fd ` | Destination delta folder | | `--root `, `-rd ` | Root directory for resolving relative file paths | | `--output `, `-o ` | Output file name (default: STDOUT) | ## utilities **Aliases:** `ut`, `utils` A collection of network and certificate diagnostics utilities. ```bash theme={null} scanoss-py utilities ``` | Subcommand | Description | | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | `fast` | Verify that SCANOSS fast winnowing is active (requires the [scanoss-winnowing](https://pypi.org/project/scanoss-winnowing/) package) | | `certloc`, `cl` | Display the location of the Python CA certificate bundle | | `cert-download`, `cdl`, `cert-dl` | Download the full SSL certificate chain from a remote server | | `pac-proxy`, `pac` | Test a PAC (Proxy Auto-Config) file to determine the proxy for a given URL | The `cert-download` subcommand accepts the following arguments: | Argument | Description | | -------------------------------- | -------------------------------------- | | `--hostname `, `-n ` | Remote server hostname *(required)* | | `--port `, `-p ` | Remote server port (default: `443`) | | `--output `, `-o ` | Output PEM file name (default: STDOUT) | The `pac-proxy` subcommand accepts the following arguments: | Argument | Description | | --------------- | ------------------------------------------------------------------------- | | `--pac ` | PAC file path, HTTP URL, or `auto` for system discovery (default: `auto`) | | `--url ` | URL to test proxy resolution against (default: `https://api.osskb.org`) |