Skip to main content
Scanning is the core functionality of SCANOSS-PY. It fingerprints your code and compares it against the SCANOSS Knowledge Base to identify open-source components, licences, vulnerabilities, and security issues.

Quick Start

Scan a project folder and save results: 
scanoss-py scan -o results.json /path/to/project

Understanding Scanning

When you run a scan, SCANOSS-PY:
  1. Fingerprints your source code using the Winnowing algorithm
  2. Compares fingerprints against the SCANOSS Knowledge Base
  3. Identifies matching open-source components
  4. Detects licences, vulnerabilities, and quality issues
  5. Returns detailed results in JSON format
Scanning extends fingerprinting by querying the SCANOSS Knowledge Base with the generated fingerprints, returning component matches, licence data, and vulnerability information. Fingerprinting alone produces only the .wfp file; it does not perform a lookup.

Basic Scanning

Scan a Directory

scanoss-py scan -o results.json /path/to/project

Scan a Single File

scanoss-py scan -o results.json /path/to/file.py

Scan Multiple Specific Files

scanoss-py scan --files src/main.py src/utils.py -o results.json

Scanning with Dependencies

SCANOSS-PY can detect and analyse declared dependencies from package manifest files (e.g. package.json, requirements.txt, pom.xml).

Scan Source Files and Dependencies

scanoss-py scan --dependencies -o results.json /path/to/project
Note: Dependency scanning requires scancode-toolkit to be installed. Without it, the --dependencies flag will produce an error.

Scan Dependencies Only

Skip file scanning and analyse only declared dependencies: 
scanoss-py scan --dependencies-only -o results.json /path/to/project

Scanning with Pre-Generated Fingerprints

For large projects or CI/CD pipelines, you can separate the fingerprinting step from the scanning step. Pass a previously generated .wfp fingerprint file directly to the scanner: 
scanoss-py scan --wfp project.wfp -o results.json

Scanning with a Settings File

SCANOSS supports a scanoss.json settings file for persistent configuration. The example below shows how to exclude specific files and directories from scanning using glob patterns. The ! prefix negates a pattern, re-including a previously excluded path. 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": [
          "*.log",
          "!important.log",
          "temp/",
          "debug[0-9]*.txt",
          "src/client/specific-file.js",
          "src/nested/folder/"
        ]
      }
    }
  }
}
Scan with a settings file: 
scanoss-py scan --settings scanoss.json -o results.json /path/to/project