SBOMs for Modern

SCANOSS is the first affordable, open OSS Inventory & Intelligence platform that was built specifically for modern DevSecOps and supply chains, empowering them to deliver greater license, security, quality and provenance visibility and control for DevSecOps teams and their supply chain partners. By freeing developers to focus on writing great, secure and compliant code that they and their team can completely trust, applications are finished earlier, their quality is consistently higher, and development costs are dramatically lower.

SCANOSS product header
SBOM Workbench

Identifying Declared and Undeclared OSS Components.

SCANOSS generates software bill of materials (SBOMs) that provide comprehensive and accurate information about the open source software (OSS) components used in a software application, including AI-generated code. It does this by analyzing the source code of the application and creating an inventory of all the OSS components used, including declared and undeclared components.

SCANOSS is able to identify both declared and undeclared OSS components used in the codebase. Declared components are those that are explicitly listed in the source code, while undeclared components are those that are used but not listed in the code. By using advanced techniques such as code fingerprinting and machine learning, SCANOSS can identify these undeclared components, providing a more comprehensive view of the software supply chain and reducing the risk of OSS vulnerabilities going undetected.

Unrivaled OSS Risk Visibility

Open source software (OSS) is an integral part of modern software development, and it's often used to speed up development and reduce costs. However, OSS can also pose significant risks if not managed properly. That's where OSS intelligence and a 360-degree view of risk come in.

With SCANOSS, DevSecOps teams can gain a comprehensive view of the open source components in use, including their licenses, vulnerabilities, trade compliance and other risks. By utilizing this intelligence, teams can make informed decisions about their software supply chain, identify potential risks early in the development process, and take action to mitigate them. This approach allows for more secure and compliant software development, reducing the likelihood of costly and damaging security breaches.

SBOM Workbench
spider web
Continuous component identification
and SBOM
icon team Built specifically
for development teams

Empower developers to confidently produce compliant code, while providing greater license visibility to the team.

icon team Fully configurable and 100%
Open Source

No proprietary algorithms, no closed binaries and definitely no corporate source code. Everything is entirely open and available.

icon team Architected for speed
and velocity

‘Start left’ in the development lifecycle by performing continuous SBOM validations instead of waiting on one final audit at the end.


Open Source Knowledge Base


It’s big.

3 trillion

lines of known OSS code

100 billion

known OSS files

216 million

known OSS URLs

Get in Touch external icon

SCANOSS boasts the largest Open Source knowledgebase in the market, with 188 million URLs of open source software, 100 billion files, and over 3 trillion lines of code. This extensive database allows for the detection of both declared and undeclared open source components. SCANOSS achieves this impressive feat through its cutting-edge open source mining network, which runs fully unmanned and tracks new software versions and components in real time as they are published.

engine icon

Open Inventorying Engine

To analyze & compare Open Source Code snippets, filters or Winnowing fingerprints.

document icon


Continuously generate an open Software Bill of Materials. Store your SBOM in SPDX or CycloneDX.

vector box

Open Indexing Algorithm

Using an open algorithm called ‘winnowing’ to store OSS files, snippets & code.

vector box

Open RESTful API

Client side applications and middleware can leverage this API to interact with the SCANOSS Engine.

vector box

Open Database Engine

Your query performance is critical. Our Knowledge Base has already passed 2 trillion fingerprints.

vector box

Open Webhooks & CLI

Trigger secure source code analysis with every git push using webhooks or embed it into your CI/CD pipelines using the CLI.

"Fully integrated into your
Development Tools
and Processes"

  • 100% Open architecture allows for easy integrations
  • Native support for most DevOps toolchains
  • Integrate with existing SCA tooling without overlap (e.g. SPDX)
  • Open data architecture allows for comparable results
SBOMs are finally
available to everyone!

SBOM Workbench is a desktop app that requires no installation and runs on-the-fly on any Windows, macOS or Linux computer.

linux icon apple icon apple icon apple icon github icon
SCA Tools: Feature Comparison
Feature SCANOSS Other OSS SCA tools Commercial
SCA tools
Precise IDs PURL Arrays PURL PURL Arrays Vendor and component names
License detection
SCANOSS provides an efficient license compliance solution, detecting open-source components in your software to ensure adherence to their respective licenses. Its snippet-level matching accurately identifies even minor fragments of code, guaranteeing comprehensive compliance and reducing legal vulnerabilities.
Yes Yes Proprietary
Copyright statements Yes Yes Yes
Attribution notices Yes Limited Limited
SCANOSS pinpoints known vulnerabilities within your software by scanning for open-source components and matching them against vulnerability databases. With snippet-level precision, it ensures thorough detection, safeguarding your software from potential security threats.
Yes Yes Yes
SCANOSS identifies both declared and undeclared dependencies in your software. It detects components listed in dependency files and, crucially, uncovers hidden dependencies by scanning for included component files and snippets, providing a comprehensive view of your software's composition.
Yes Yes Yes
Cryptographic Algorithms (ECCN) Yes No No
Health metrics Yes No data Yes
Service Quality
SCANOSS offers a security quality functionality that utilizes Semgrep to evaluate every component in its extensive knowledgebase. It identifies deviations from established good practice security rules, ensuring components adhere to top-notch security standards and helping users maintain a secure software environment.
Yes. Static Code Analysis data on entire knowledgebase Yes Yes
Code Quality Metrics Yes Yes Yes
Reporting format SPDX and CycloneDX SPDX and CycloneDX Proprietary and SPDX
Binary Analysis Yes Yes Yes
Tool transparency Yes Yes Closed-source
On-premise deployment Yes Yes Yes
Offline On-premise deployment
SCANOSS's on-premise deployment offers unparalleled security and privacy by operating in complete isolation. This ensures that sensitive data never leaves the organization's infrastructure, providing the utmost assurance in data protection and compliance with stringent privacy standards.
Yes + Zero visibility Yes Requires access
API-centric API/centric N/A Partial/limited API functionality
Portable UI Multiplatform app Server side applications Server side applications
Command Line Interface (CLI) Yes Yes Limited functionality
Air-gap scanning Yes No Limited to 5Gb
Policy Manager Relies on third-party tools Yes Built-in
Webhook availability Yes N/A Yes, with limitations
Github app Yes No No
Always on-SBOM (as part of revision control) Yes No No
Snippet detection
SCANOSS's snippet-level detection is not only a de-facto standard adopted by leading SCA solutions like FOSSlight, FOSSology, ORT, and TrustSource, but it's also pivotal for organizations to gain the same visibility as any individual in the open-source community. By leveraging SCANOSS, entities ensure they view and assess open-source integrations with the same depth and clarity as community insiders, guaranteeing informed decisions and comprehensive compliance.
Yes No Limited
Snippet detection quality Language-agnostic Not available Limited
Snippet scanning openness Open Source No Proprietary
Declared Component detection Yes Yes Yes
Undeclared Component detection
Undeclared component detection identifies software elements not explicitly listed in project documentation. Many companies only assess declared components, leading to a false sense of security. True protection requires uncovering what's hidden, ensuring comprehensive compliance and risk management.
Yes No Limited
Revenue model Data provider Support Software vendor
Open Source Software 100% Open Source Yes Propietary
SBOM / Data import Yes Yes From own legacy
File-level identification exportation Yes N/A Not available
Access to free product offering Yes Yes Limited

Ready to facilitate the next wave of Open Source adoption?

Get in touch