> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Project, Scanning, Auditing and Reporting

> Guide to understanding scan results, auditing components, and generating reports in SBOM Workbench.

## Understanding Your Scan Results

### The Reports Tab Overview

After scanning your project in **SBOM Workbench**, the **Reports** tab provides a structured view
of your scan results, organised into two tabs: **Detected** and **Identified**. Each tab presents
a different stage of the audit process. **SBOM** stands for Software Bill of Materials — a
structured record of the components, dependencies, and licences in your project.

#### Detected Tab: Raw Scan Results

* **What it shows**: Raw, unmodified results from the SCANOSS API
* **When to use**: Initial review of scan results before any manual auditing
* **Key characteristic**: No user actions have been taken on these matches

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/reports-detected.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=fc23c554fa0504eb12eb4b3166b54ac4" alt="reports-detected" width="1915" height="988" data-path="en/latest/poc/guides/images/sbom-workbench/reports-detected.png" />

#### Summary Metrics

At the top of the **Detected** tab, a summary bar displays the following metrics:

* **Matches:** Number of project files that matched components in the SCANOSS database
* **Dependencies:** Count of dependencies found in manifest files (`package.json`, `pom.xml`, etc.)
* **Vulnerabilities:** Total number of known security vulnerabilities detected across all matched components
* **Cryptography:** Cryptographic algorithms and patterns detected by analysing your source code
* **Licences:** Summary of all licences detected across your matched components

#### Matched Components

Open source components that the SCANOSS engine identified in your codebase.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/matched-components.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=dde947e02cf9723309d84a31d9aa03ee" alt="matched-components" width="1839" height="613" data-path="en/latest/poc/guides/images/sbom-workbench/matched-components.png" />

**How to Use This Section:**

1. Click on a component to see which files matched it.

<img src="https://mintcdn.com/scanoss/CGx6neJV8jANGZpq/en/latest/poc/guides/images/sbom-workbench/selecting-component.png?fit=max&auto=format&n=CGx6neJV8jANGZpq&q=85&s=808659128a3b715df7bd503d193940f4" alt="selecting-component" width="1908" height="950" data-path="en/latest/poc/guides/images/sbom-workbench/selecting-component.png" />

2. Click on any file to review the match percentage and understand the extent of its usage.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/component-match.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=b28dfbce49a9e066e42b759c0c24e439" alt="component-match" width="1912" height="983" data-path="en/latest/poc/guides/images/sbom-workbench/component-match.png" />

3. For each match, choose to **Identify** the component or **Mark as Original** if the code
   belongs to your own codebase.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/identify-component.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=cd6ac1471432394ffcd5dad5ede2700a" alt="identify-component" width="1438" height="92" data-path="en/latest/poc/guides/images/sbom-workbench/identify-component.png" />

4. If you click **Identify**, a dialogue will appear prompting you to confirm or update the
   component details.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/identify-settings.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=eb93f396becfc2f8b583922aa0c04adb" alt="identify-settings" width="879" height="830" data-path="en/latest/poc/guides/images/sbom-workbench/identify-settings.png" />

5. After identifying or marking your first component, repeat the process for the remaining
   matched components.

#### Declared Dependencies

All dependencies listed in your project's manifest files.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/declared-dependencies.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=359c5033ef22587ff904d0ab23b7b866" alt="declared-dependencies" width="1903" height="987" data-path="en/latest/poc/guides/images/sbom-workbench/declared-dependencies.png" />

**How to Use This Section:**

1. Click a dependency to view its details and any related matches.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/scanoss/en/latest/poc/guides/images/sbom-workbench/declared-dependencies-matches.png" alt="declared-dependencies-matches" />

2. Open a dependency to see the associated package information.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/scanoss/en/latest/poc/guides/images/sbom-workbench/select-dependency.png" alt="select-dependency" />

3. Make a decision on each dependency by hovering over it on the right-hand side and choosing
   **Accept** or **Dismiss**.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/scanoss/en/latest/poc/guides/images/sbom-workbench/dependency-decision.png" alt="dependency-decision" />

#### Licences

In the **Licences** section of the **Reports** tab, clicking a specific licence filters the
matched components list to display only components associated with that licence. This allows you
to audit all components under a particular licensing term.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/report-licenses.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=511547902f2467e553a9980c6300837b" alt="report-licenses" width="1641" height="972" data-path="en/latest/poc/guides/images/sbom-workbench/report-licenses.png" />

#### Licence Obligations

Use this section to identify licences that may conflict with your project's licensing strategy.
**SBOM Workbench** analyses your project's licence landscape and identifies:

* Incompatible licence combinations
* Licence conflicts
* Copyleft implications

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/license-obligations.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=d71a40e2270717d1f89360d16c6a4cc6" alt="license-obligations" width="1903" height="984" data-path="en/latest/poc/guides/images/sbom-workbench/license-obligations.png" />

### Identified Tab: Your Audited Results

* **What it shows**: Components you have explicitly reviewed and confirmed
* **When to use**: After auditing, to view the components you have accepted or identified
* **Key characteristic**: Displays only components on which you have taken an identification action

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/reports-identified.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=f1999fb8415c5b809af526238c08feb6" alt="reports-identified" width="1915" height="986" data-path="en/latest/poc/guides/images/sbom-workbench/reports-identified.png" />

> **Note**: The **Identified** tab will be empty until you begin reviewing and accepting matches
> from the **Detected** tab.

#### What You'll See After Identification

Once you have started identifying components and dependencies, the **Identified** tab will
populate with your verified results:

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/identified.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=e4fdadb33bc8ebb086b167b405df8a1d" alt="identified" width="1915" height="984" data-path="en/latest/poc/guides/images/sbom-workbench/identified.png" />

You can also browse identified components by navigating to the **Identified** tab in the left
sidebar:

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/identified-tab.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=2d0ba19b67c70c3db783d3cd8aba2549" alt="identified-tab" width="1913" height="962" data-path="en/latest/poc/guides/images/sbom-workbench/identified-tab.png" />

***

## Auditing Your Project

### Working with Detected Components

The **Detected Components** tab is where you review and act on the component matches found during
your scan. This is the primary interface for working through matched files and recording
identification decisions.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/detected-components.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=4ba9eda9c4efeeea9fa8cf876be8ea38" alt="detected-components" width="1918" height="982" data-path="en/latest/poc/guides/images/sbom-workbench/detected-components.png" />

After scanning, **SBOM Workbench** organises matched files into **component cards** — visual
groupings of files that all matched the same open source component.

#### Understanding the Interface

##### File Status Indicators

The file tree on the left displays visual status indicators to help you navigate and filter
results:

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/file-tree.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=eb05f37baac15072a676a84eb26e0192" alt="file-tree" width="401" height="472" data-path="en/latest/poc/guides/images/sbom-workbench/file-tree.png" />

* **Pending**: Files that matched the SCANOSS database and are awaiting review
* **Identified**: Files you have accepted and confirmed
* **Original**: Files you have marked as belonging to your own codebase
* **No Match**: Files that were scanned but returned no match
* **Ignored**: Files excluded from scanning

##### Filters

Use filters to focus your audit workflow:

<img src="https://mintcdn.com/scanoss/CGx6neJV8jANGZpq/en/latest/poc/guides/images/sbom-workbench/usage-filter.png?fit=max&auto=format&n=CGx6neJV8jANGZpq&q=85&s=eaf7220a9c06fbaa99436209c14a272e" alt="usage-filter" width="403" height="446" data-path="en/latest/poc/guides/images/sbom-workbench/usage-filter.png" />

* **File**: Show results based on full-file matches (100% match)
* **Snippet**: Show results based on partial matches (less than 100% match)
* **Dependency**: Show results based on project dependencies

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/filter-matches.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=4bcce1b149f031d866dadf6817729ab0" alt="filter-matches" width="490" height="358" data-path="en/latest/poc/guides/images/sbom-workbench/filter-matches.png" />

The file tree updates to display only the files that satisfy the selected filters.

#### Component Cards

**Component cards** are visual groupings in the file tree that organise files by their matched
component.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/components.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=c88e1e93a90a98ea5ad2e1b02e50c8ab" alt="components" width="1915" height="990" data-path="en/latest/poc/guides/images/sbom-workbench/components.png" />

Each card represents:

* A single open source component that was detected
* All files in your project that matched that component
* A way to review and take action on multiple files at once

***

### Identifying Components

Identification is the primary step in the audit workflow. For each matched component, you decide
whether to accept the match, modify its details, or mark the file as part of your original code.

#### The Identify Process

To review and act on individual files within a component card:

1. **Expand the component card** to see all files that matched it.
2. **Click on a file** to view match details in the code viewer.
3. **Review the match percentage** and source code comparison.
4. **Make your decision**:
   * Click **Identify** to accept the match.
   * Click **Mark as Original** if the code belongs to your own codebase or the match is a false
     positive.

#### Using the Identify Dialogue

When you click **Identify**, a dialogue will appear:

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/identify-settings.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=eb93f396becfc2f8b583922aa0c04adb" alt="identify-settings" width="879" height="830" data-path="en/latest/poc/guides/images/sbom-workbench/identify-settings.png" />

The dialogue includes the following fields:

* **Component name**: Pre-populated from the match
* **Version**: Detected version (editable if incorrect)
* **Licence**: Associated licence
* **PURL**: Package URL — a standardised identifier for the component
* **URL**: Link to the component's repository
* **Usage**: How the component is used — `File`, `Snippet`, or `Pre-requisite`
* **Notes**: Optional field for recording your reasoning or context

#### Marking as Original

Use **Mark as Original** when:

* The match is incorrect or a false positive
* The code belongs to your own codebase
* Code similarity is coincidental

Files marked as original are excluded from your SBOM and displayed with a dark grey indicator in
the file tree.

***

### Re-scanning and Identification Persistence

When you re-scan a project that already has confirmed identifications, **SBOM Workbench preserves your previous identification decisions by design**. This ensures that your audit work is not lost between scans.

#### How Re-scan Behaviour Works

* **Previously confirmed components remain in their confirmed state** after a re-scan, even if the underlying source code has been modified (e.g. adding debug code to an OSS-derived file). This is expected and intentional behaviour.
* **If the scan detects a new or larger snippet** that provides a more accurate match than a previously confirmed identification, the updated result may require re-validation to confirm the new identification.
* **If the existing identification is still valid** (i.e. no new or improved match was found), no further action is needed, the confirmed state is retained automatically.

In short: unchanged identifications are preserved, only new or improved matches prompt re-confirmation.

#### Modifying a Previously Confirmed Identification

If you need to update or change a confirmed identification after a re-scan, there are two ways to do this depending on how the original confirmation was applied:

1. **File-level identification**: If the confirmation was applied at the file level, navigate to the file in the file tree, open the file identification view, and use the **Remove identification** button to clear the existing decision. You can then re-identify the file as needed.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/file-level-identification.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=e278ae8890d06c95e3874e5a787cea43" alt="file-level-identification" width="1778" height="276" data-path="en/latest/poc/guides/images/sbom-workbench/file-level-identification.png" />

2. **Component-level identification**: If the confirmation was applied at the component level, navigate to the component view, where you can use the **Restore All** option or manage individual file statuses directly.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/component-level-identification.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=598c99c8ebdd44b3ad2b79da6d57b886" alt="component-level-identification" width="1778" height="324" data-path="en/latest/poc/guides/images/sbom-workbench/component-level-identification.png" />

> **Tip**: Use the **Snippet** filter in the Detected Components view to quickly locate files matched via snippet detection, making it easier to review modified files after a re-scan.

***

### Reusing a Project as It Evolves

As your codebase gains new features and releases, you'll want to re-scan it without redoing your entire audit each time.

The [Re-scanning and Identification Persistence](#re-scanning-and-identification-persistence) behaviour above applies when you re-scan the same project in place. When you instead track each release as its own Workbench project, SBOM Workbench maintains continuity through a structured project lifecycle and the Import identifications from feature, described below.

Before walking through the workflow, it's worth clarifying a common misconception about what actually carries your audit forward.

#### What `scanoss.json` Does (and Doesn't) Persist

In SBOM Workbench, `scanoss.json` is a rules-based configuration file, not a complete record of your project state. It stores include / remove / replace rules that are applied during scanning, and it can pre-apply known decisions to help reduce repeated manual triage on subsequent scans.

What it does not do is restore your full Workbench audit state. Prior confirmations, UI-level decisions, notes and project history are not reconstructed from `scanoss.json` alone.

> In some other SCANOSS tools, `scanoss.json` plays a broader persistence role. In SBOM Workbench specifically, treat it as a mechanism for scan tuning and rule reuse, not as a substitute for your saved project.

To preserve full audit state, export your Workbench project as a .zip archive (see [Exporting a Project](#difference-between-exporting-an-sbom-file-and-exporting-a-project)). The project archive, not `scanoss.json`, is what lets you restore or transfer a complete audit.

#### The Project Lifecycle Workflow

Follow this cycle to carry identification decisions from one version of a repository to the next:

1. **Run the initial scan** - Create a new Workbench project from the repository and complete the first scan.
2. **Perform full component identification** - Complete the baseline audit: review detected components, confirm correct matches, correct misidentified components, and mark internal or false-positive code appropriately.
3. **Export outputs and preserve project state** - Once the baseline audit is complete, export your SBOM reports in your preferred format (SPDX, CycloneDX, CSV, etc.). At this stage you can also:
   * Export and retain `scanoss.json` for scan tuning, identification-rule reuse, and dependency/context configuration.
   * Export the Workbench project as a `.zip` file to preserve the full audit state locally for backup or transfer.
4. **Update the repository and re-scan** - When the source code evolves with new features or changes, update the repository and run a new scan in SBOM Workbench. Ensure the previous Workbench project is still available in your dashboard. If it has been removed, use Import Workbench Project to restore it from the previously exported `.zip`.
5. **Import previous identifications into the new scan** - After scanning the updated project, navigate to Detected Components, right-click the top-level folder in the file tree, and select Import identifications from. Choose the previous version of the same project, proceed through the import flow, and review the preview of identifications to ensure all prior decisions are correctly mapped to the new scan results.

<img src="https://mintcdn.com/scanoss/TbN5NIQZ-CJ9m8XS/en/latest/poc/guides/images/sbom-workbench/import-identifications-from.png?fit=max&auto=format&n=TbN5NIQZ-CJ9m8XS&q=85&s=01c1fe8f7dd1d4600353317209de0d25" alt="import-identifications-from" width="1917" height="987" data-path="en/latest/poc/guides/images/sbom-workbench/import-identifications-from.png" />

<img src="https://mintcdn.com/scanoss/TbN5NIQZ-CJ9m8XS/en/latest/poc/guides/images/sbom-workbench/import-from-projects.png?fit=max&auto=format&n=TbN5NIQZ-CJ9m8XS&q=85&s=6721ef366040296979f0e6e4da77c307" alt="import-from-projects" width="677" height="666" data-path="en/latest/poc/guides/images/sbom-workbench/import-from-projects.png" />

<img src="https://mintcdn.com/scanoss/TbN5NIQZ-CJ9m8XS/en/latest/poc/guides/images/sbom-workbench/preview-identifications.png?fit=max&auto=format&n=TbN5NIQZ-CJ9m8XS&q=85&s=d30f6e4f06020a9ad72a09632da9baa0" alt="preview-identifications" width="653" height="656" data-path="en/latest/poc/guides/images/sbom-workbench/preview-identifications.png" />

6. **Review only new or changed components** - Once the import completes, SBOM Workbench carries forward your previous identification decisions, so your focus shifts only to the newly introduced or changed components in the updated version.
7. **Repeat for each release** - Every new version follows the same cycle: update repository → scan → import previous identifications → review delta changes → identify new components → export updated outputs.

> If a project is deleted and recreated, its audit state is not recoverable unless you import the original Workbench project `.zip` archive. `scanoss.json` alone cannot reconstruct full audit history or prior UI-level decisions.

***

### Managing Dependencies

When your project contains dependency manifest files, they appear in the **Dependencies** section.

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/dependencies-components.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=ecc9b2c38f7b0a57660e4084c200ae71" alt="dependencies-components" width="1914" height="985" data-path="en/latest/poc/guides/images/sbom-workbench/dependencies-components.png" />

#### Accepting Dependencies

1. Click on a dependency manifest file.
2. Review the list of declared dependencies.
3. Hover over each dependency.
4. Click **Accept** to confirm it is intentionally used.

Accepted dependencies display a **green indicator** and move to the **Identified Dependencies**
section.

#### Dismissing Dependencies

Click **Dismiss** for:

* Development dependencies not included in production builds
* Transitive dependencies you wish to exclude from the SBOM
* False positives in dependency detection

#### Dependency Status

* **Pending**: No action taken yet
* **Identified**: You have confirmed this dependency
* **Dismissed**: Excluded from your SBOM

***

## Advanced Features

### Search Keywords

**Search Keywords** allows you to search your project files for specific text patterns. It is
particularly useful for:

* **Finding licence declarations**: Search for terms such as "license", "copyright", or "GPL"
* **Locating specific components**: Search for library names or import statements
* **Compliance auditing**: Find files containing specific legal terms
* **Code pattern detection**: Search for technical keywords
* **Custom searches**: Any text pattern relevant to your audit

<img src="https://mintcdn.com/scanoss/CGx6neJV8jANGZpq/en/latest/poc/guides/images/sbom-workbench/search-keywords.png?fit=max&auto=format&n=CGx6neJV8jANGZpq&q=85&s=e739672f5e8804a529504afe63d77804" alt="search-keywords" width="1915" height="984" data-path="en/latest/poc/guides/images/sbom-workbench/search-keywords.png" />

#### How to Use Search Keywords

1. Type your search term in the search box.
2. Press **Enter**.
3. Review the list of files containing your keyword.

<img src="https://mintcdn.com/scanoss/CGx6neJV8jANGZpq/en/latest/poc/guides/images/sbom-workbench/search-test.png?fit=max&auto=format&n=CGx6neJV8jANGZpq&q=85&s=8431a1cb15c3650455e9e2c498c456c6" alt="search-test" width="1641" height="972" data-path="en/latest/poc/guides/images/sbom-workbench/search-test.png" />

4. Select files from the results.
5. Click **Identify** and manually choose which component they belong to.
6. Alternatively, click **Mark as Original** if the files belong to your own codebase.

#### Creating Keyword Groups

Click the group icon to the right of the search bar to create and save custom keyword groups for
repeated use:

<img src="https://mintcdn.com/scanoss/56Q6EAR2FpK8okeJ/en/latest/poc/guides/images/sbom-workbench/group-keywords.png?fit=max&auto=format&n=56Q6EAR2FpK8okeJ&q=85&s=05934668a178be579f8c725b06003641" alt="group-keywords" width="1917" height="984" data-path="en/latest/poc/guides/images/sbom-workbench/group-keywords.png" />

**Keyword groups** are:

* Saved collections of related keywords
* Reusable search templates
* Named sets for specific purposes (e.g., "Licence Keywords", "Security Terms")

**To create a group:**

1. Click the **+** button.
2. Enter a name for the group.
3. Enter your keywords.
4. Click **Create**.

**To use a saved group:**

1. In the **Group Keywords** dialogue, select the group you want to use.
2. Click **Accept**.
3. The search executes automatically using all keywords in that group.

***

## Reviewing Your Work

### The Identified Tab

After completing your audit, navigate to **Reports** → **Identified** to review your final
results.

#### What You'll See

The **Identified** tab mirrors the structure of the **Detected** tab but displays only the
components and files you have explicitly reviewed and confirmed.

#### Verifying Your Audit

**Check for completeness:**

1. Review the summary metrics in the **Identified** tab.
2. Confirm that all critical components have been identified.
3. Verify that dependencies have been accepted or dismissed as appropriate.
4. Check that the vulnerability and cryptography counts are consistent with your audit decisions.

#### Checking Identified vs Detected

Compare the two tabs to confirm:

* All significant matches have been addressed.
* No critical components remain unreviewed in the **Detected** tab.
* Your audit satisfies the requirements of your project or compliance process.
