Skip to main content

Input & Mode Parameters

ParameterShortDescription
--wfp-wProcess TARGET as a .wfp fingerprint file, regardless of its actual extension
--hpsm-HEnable High Precision Snippet Matching mode (requires libhpsm.so installed on the system)
--sbom FILE-sUse assets declared in the provided CycloneDX/SPDX 2.2 JSON SBOM to guide component identification
--blacklist FILE-bExclude assets listed in the provided CycloneDX/SPDX 2.2 JSON SBOM from scan results
--force-snippetSame as --blacklist, but forces snippet matching regardless of file extension or asset exclusion rules
--component HINT-cProvide a component name hint to guide scan results

Matching & Tuning Parameters

ParameterShortDescription
--max-snippets NUM-MSearch for up to NUM distinct components per file (maximum: 9)
--max-components NUM-NSet the maximum number of components returned per match (default: 5)
--tolerance NUM-TSet snippet matching tolerance percentage (default: 0.1)
--rank NUM-rSet the maximum component rank accepted (default: 11). Lower rank values indicate a closer match to the scanned file
--max-files NUMSet the maximum number of files to fetch during matching (default: 12000)
--min-match-hits NUMSet the minimum number of snippet ID hits required for a match (default: 3). Overrides automatic threshold adjustment
--min-match-lines NUMSet the minimum number of matched lines required per range (default: 10). Overrides automatic threshold adjustment
--range-tolerance NUMSet the maximum number of non-matched lines tolerated within a range (default: 5)
--ignore-file-extIgnore file extension during snippet matching (default: honour extension)

Output & Utility Parameters

ParameterShortDescription
--attribution FILE-aShow attribution notices for the components declared in the provided sbom.json file
--key KEY-kShow the contents of the specified KEY file from the MZ sources archive
--license LICENSE-lDisplay Open Source Automation Development Lab (OSADL) metadata for the given SPDX licence ID
--full-license-LEnable full licence report
--flags FLAGS-FSet engine scanning flags (see Flag-Based Configuration below)
--name NAME-nSet the database name (default: oss)
--debug-dWrite debugging information to disk (/tmp)
--quiet-qSuppress JSON output (debugging information is still written to STDERR)
--test-tRun engine performance tests
--version-vDisplay the installed version of the SCANOSS Engine
--help-hDisplay help information and exit

Flag-Based Configuration

The -F / --flags parameter accepts a numeric bitmask that controls which data categories are included in or excluded from scan output. Flags can also be set persistently in /etc/scanoss_flags.cfg so that they apply to every scan without needing to be passed on the command line. Flag values are combined by summing their numeric values. For example, to disable both dependencies (4) and licences (8), pass -F 12.
FlagSetting
1Disable snippet matching (default: enabled)
2Enable snippet IDs in output (default: disabled)
4Disable dependency data (default: enabled)
8Disable licence data (default: enabled)
16Disable copyright data (default: enabled)
32Disable vulnerability data (default: enabled)
64Disable quality data (default: enabled)
128Disable cryptography data (default: enabled)
256Disable best-match-only filtering (default: enabled)
512Hide identified files from output (default: disabled)
1024Enable download URL in output (default: disabled)
2048Enable path hint logic (default: disabled)
4096Disable extended server statistics (default: enabled)
8192Disable health layer data (default: enabled)
16384Enable increased matching precision (reduced scan speed; default: disabled)

Environment Variables

VariableDescription
SCANOSS_MATCHMAP_MAXSet the snippet matching map size (default: 10000)
SCANOSS_FILE_CONTENTS_URLDefine the API URL endpoint for retrieving source file contents. If this variable is not defined, source file URLs will be omitted from scan output.

Configuration File

Flags can be persisted to avoid passing them on every invocation. Write flag values to: 
/etc/scanoss_flags.cfg
The file should contain a single integer representing the combined flag value (e.g., 12 to disable both dependencies and licences).

Examples

# Scan DIRECTORY without licence and dependency data
scanoss -F 12 DIRECTORY
scanoss --flags 12 DIRECTORY

# Scan TARGET including SBOM assets
scanoss --sbom my_sbom.json TARGET

# Scan with custom snippet matching parameters
scanoss --min-match-hits 5 --min-match-lines 15 TARGET

# Scan with custom range tolerance
scanoss --range-tolerance 10 TARGET

# Ignore file extensions during matching
scanoss --ignore-file-ext TARGET