Skip to main content

What SCANOSS Does

SCANOSS identifies open-source code used in software projects by analysing source code directly. This includes:
  • Declared dependencies defined in manifests
  • Undeclared usage such as embedded components, copied files, and reused code fragments.
By working from source code rather than dependency declarations alone, SCANOSS provides a more comprehensive and verifiable view of software composition. The results are translated into software risk intelligence that describes not just what open-source code is present, but also the associated licensing, security, and compliance metadata.

How SCANOSS Works

SCANOSS operates by combining local scanning with reference data and integrated tooling:
  1. Fingerprinting: A CLI tool examines source code locally and generates fingerprints based on file content.
  2. Matching: Those fingerprints are compared against reference data from a large open-source knowledge base maintained by SCANOSS.
  3. Output: Identified results are assembled into standards-based SBOMs (e.g. SPDX, CycloneDX) and enriched with metadata that supports risk analysis.
The platform’s interfaces — including the Python CLI, REST API, and graphical workbench — let developers and tools consume this software risk intelligence where they need it.