Skip to main content

SCANOSS Curation Flow

SCANOSS Curation Flow diagram showing the relationship between local scanning, fingerprint transmission, and the knowledge base

The SCANOSS Knowledge Base

At the core of SCANOSS is a continuously maintained open-source knowledge base built from publicly available open-source projects. The knowledge base does not contain customer code. Instead, it stores:
  • derived fingerprints from known open-source code,
  • component and version identifiers,
  • licence information,
  • and other metadata required to contextualise results.
When SCANOSS runs locally, only derived fingerprints are compared against this reference data. This architecture enables accurate identification of open-source usage without transferring or storing user source code. The knowledge base evolves continuously as new projects, versions, and metadata are added, ensuring that software intelligence remains current as the open-source ecosystem changes.

Security Model

SCANOSS is designed so that analysing software composition does not require exposing source code or trusting opaque processing. Source code never leaves the user’s environment. Derived fingerprints are computed locally, filenames are hashed before transmission, and only those derived values are sent for analysis. No proprietary or sensitive code is uploaded or reconstructed at any point. This design allows organisations to analyse both declared and undeclared open-source usage — where declared usage refers to components listed in a dependency manifest, and undeclared usage refers to code present in a codebase but not explicitly referenced — while maintaining full control over intellectual property.

Open Source and Standards

The scanning engine and fingerprinting algorithms used by SCANOSS are fully open source. This allows independent inspection of how detection works and how results are produced. All outputs conform to open standards such as SPDX and CycloneDX. SBOMs and analysis results remain portable and interoperable, avoiding vendor lock-in and supporting long-term reuse of software intelligence across tools and processes.

Deployment Options

SCANOSS can be used as a hosted service or deployed on-premise. On-premise deployment allows organisations with strict security or regulatory requirements to run the platform entirely within their own infrastructure, while retaining the same analysis capabilities and workflow integrations.

Know Your Frankie

Modern software is typically assembled from many open-source components, often introduced incrementally through direct dependencies, transitive dependencies, or code copying. The term “Frankie” refers to a codebase composed of many such parts — some expected, some unintentional — that may not be fully accounted for in dependency declarations. “Know your Frankie” reflects the need to understand what code is actually present in a codebase, rather than relying solely on what is declared in manifests or expected from the build process. SCANOSS provides the software intelligence required to maintain that understanding as projects evolve, dependencies change, and code is reused over time.