Our open source mission
Open source is the foundation of modern software. Yet for years, there was a quiet contradiction: the tools used to identify and manage open source were almost entirely proprietary. Software Composition Analysis (SCA) was a closed market—until SCANOSS decided to challenge that status quo
From day one, every piece of software distributed by SCANOSS has been open source. At SCANOSS, we believe the tools that govern open source should themselves be open.
We contribute to shared infrastructure by supporting structured datasets, aligning with open standards, and collaborating with vendor-neutral foundations. Our commitment is practical: contribute where it strengthens the ecosystem, and build responsibly on top of it.
The irony at the heart of open source
For years, open source was the foundation of nearly every modern application, yet the tools used to identify and manage it were proprietary. The algorithms that fingerprinted open source code were trade secrets. The data that powered them was locked away. And the price tags attached to these tools placed them beyond the reach of many small and medium-sized organisations that form a critical part of the global software supply chain.
SCANOSS set out to change this. We introduced the first open source algorithm for fingerprinting open source code snippets, challenging the idea that transparency had to come at a proprietary price. For the first time, the mechanism used to detect open source in code was itself open, auditable, and available to anyone.
But an open algorithm was only meaningful if developers could actually use it. SCANOSS launched a free and anonymous API, where anyone could submit code fingerprints without barriers, contracts, or handing over sensitive data. To ensure independence and neutrality, we founded the Software Transparency Foundation, a dedicated organization committed to increasing transparency across the software supply chain.
SCANOSS’s approach to transparency evolved through a series of milestones that progressively expanded open infrastructure for the software ecosystem.
Our data journey
Our mission is grounded in sustained technical contribution. Over time, we’ve transformed internal projects into shared datasets that support interoperability, vulnerability management, and standards alignment.
2018 — SCANOSS Engine
We launched the SCANOSS Engine, the first open-source engine designed to empower developers to produce compliant code with integrated SBOM creation. This tool transformed SBOM creation from a post-development audit to an always-on analysis of live code, enabling automated license, copyright, vulnerability, and dependency detection.
2021 — The first break: an open algorithm
We introduced the first open-source algorithm for fingerprinting open-source code snippets. This was a direct challenge to the proprietary status quo, making the mechanism for detecting open-source code open, auditable, and available to everyone.
2021 — Software Transparency Foundation & OSS KB
The Open Source Software Knowledge Base (OSS KB) was launched through the Software Transparency Foundation, with SCANOSS as a founding contributor. The OSS KB provides structured component intelligence accessible via APIs and designed for integration with compliance and SBOM tooling.
2021 — SBOM Workbench and APIs
We released the SCANOSS SBOM Workbench, a graphical user interface for scanning and auditing source code, generating SPDX-Lite SBOMs, and supporting multi-language cryptographic detection. We also launched RESTful APIs for querying the OSSKB and performing SCA tasks, enabling real-time insights and risk management integrated into CI/CD pipelines.
2022 — purl2cpe Dataset
Released under a CC0 licence, purl2cpe established structured mappings between Package URLs (PURLs) and Common Platform Enumerations (CPEs), improving vulnerability correlation across ecosystems.
2024 — Cryptographic algorithms dataset
We released an open dataset of cryptographic algorithms with taxonomy and keyword associations, supporting open-source tooling developers. This dataset was later expanded to include real-world feedback and contributions from customers and security experts.
2025 — Standards alignment
Collaboration with the SPDX community led to alignment with the SPDX Cryptographic Algorithms List, reinforcing compatibility with recognised SBOM standards and CycloneDX formats.
Each milestone reflects a consistent objective: strengthen shared infrastructure while maintaining interoperability across tools and organisations.
Open source all the way down
What began as a principled stance on algorithms quickly became a company-wide commitment. SCANOSS understood that the market was not just asking for better tools, but for open ones. Openness and transparency had become prerequisites for trust. Today, every piece of software distributed by SCANOSS is open source, without exception.
That decision resonated across the ecosystem. Major open source communities have integrated SCANOSS capabilities into their platforms, including FOSSology, FOSSLight and the OSS Review Toolkit. This kind of adoption does not happen by accident; it happens when tools earn the trust of communities built on openness.
Supporting open source infrastructure
The irony that once defined this industry — open source identification controlled by proprietary tools — no longer has to be the norm. SCANOSS helped change that, and continues to build on it.
Build transparency together
Shared infrastructure improves through collaboration.
Here are a few ways developers and organisations can contribute to the SCANOSS ecosystem.
Improve the datasets
Help expand the transparency infrastructure by contributing to SCANOSS datasets, reporting improvements, or helping refine open source intelligence.
Integrate the tools
Use the SCANOSS Engine, APIs, or Workbench in your projects and workflows. Integration strengthens interoperability across the ecosystem.
Adopt the platform
Use SCANOSS to generate SBOMs, improve compliance visibility, or analyse open source usage in your software supply chain environments.
Every contribution — code, feedback, integration, or adoption — helps strengthen transparency across the software ecosystem.