SBOMs for Modern
DevSecOps
SCANOSS is the first affordable, open OSS Inventory & Intelligence platform that was built specifically for modern DevSecOps and supply chains, empowering them to deliver greater license, security, quality and provenance visibility and control for DevSecOps teams and their supply chain partners. By freeing developers to focus on writing great, secure and compliant code that they and their team can completely trust, applications are finished earlier, their quality is consistently higher, and development costs are dramatically lower.
Identifying Declared and Undeclared OSS Components.
SCANOSS generates software bill of materials (SBOMs) that provide comprehensive and accurate information about the open source software (OSS) components used in a software application, including AI-generated code. It does this by analyzing the source code of the application and creating an inventory of all the OSS components used, including declared and undeclared components.
SCANOSS is able to identify both declared and undeclared OSS components used in the codebase. Declared components are those that are explicitly listed in the source code, while undeclared components are those that are used but not listed in the code. By using advanced techniques such as code fingerprinting and machine learning, SCANOSS can identify these undeclared components, providing a more comprehensive view of the software supply chain and reducing the risk of OSS vulnerabilities going undetected.
Unrivaled OSS Risk Visibility
Open source software (OSS) is an integral part of modern software development, and it's often used to speed up development and reduce costs. However, OSS can also pose significant risks if not managed properly. That's where OSS intelligence and a 360-degree view of risk come in.
With SCANOSS, DevSecOps teams can gain a comprehensive view of the open source components in use, including their licenses, vulnerabilities, trade compliance and other risks. By utilizing this intelligence, teams can make informed decisions about their software supply chain, identify potential risks early in the development process, and take action to mitigate them. This approach allows for more secure and compliant software development, reducing the likelihood of costly and damaging security breaches.
and SBOM
Built specifically for development teams
Empower developers to confidently produce compliant code, while providing greater license visibility to the team.
Fully configurable and 100%Open Source
No proprietary algorithms, no closed binaries and definitely no corporate source code. Everything is entirely open and available.
Architected for speed and velocity
‘Start left’ in the development lifecycle by performing continuous SBOM validations instead of waiting on one final audit at the end.
Open Source Knowledge Base
(OSSKB)
It’s big.
3 trillion
lines of known OSS code
100 billion
known OSS files
216 million
known OSS URLs
SCANOSS boasts the largest Open Source knowledgebase in the market, with 188 million URLs of open source software, 100 billion files, and over 3 trillion lines of code. This extensive database allows for the detection of both declared and undeclared open source components. SCANOSS achieves this impressive feat through its cutting-edge open source mining network, which runs fully unmanned and tracks new software versions and components in real time as they are published.
Open Inventorying Engine
To analyze & compare Open Source Code snippets, filters or Winnowing fingerprints.
Open SBOM
Continuously generate an open Software Bill of Materials. Store your SBOM in SPDX or CycloneDX.
Open Indexing Algorithm
Using an open algorithm called ‘winnowing’ to store OSS files, snippets & code.
Open RESTful API
Client side applications and middleware can leverage this API to interact with the SCANOSS Engine.
Open Database Engine
Your query performance is critical. Our Knowledge Base has already passed 2 trillion fingerprints.
Open Webhooks & CLI
Trigger secure source code analysis with every git push using webhooks or embed it into your CI/CD pipelines using the CLI.
"Fully integrated
into your
Development Tools
and Processes"
- 100% Open architecture allows for easy integrations
- Native support for most DevOps toolchains
- Integrate with existing SCA tooling without overlap (e.g. SPDX)
- Open data architecture allows for comparable results
available to everyone!
SBOM Workbench is a desktop app that requires no installation and runs on-the-fly on any Windows, macOS or Linux computer.
Also available on
| Feature | SCANOSS | Other OSS SCA tools | Commercial SCA tools | |
|---|---|---|---|---|
SBOM DATA AND DECORATION | Precise IDs | PURL Arrays | PURL | PURL Arrays Vendor and component names |
License detection SCANOSS provides an efficient license compliance solution, detecting open-source components in your software to ensure adherence to their respective licenses. Its snippet-level matching accurately identifies even minor fragments of code, guaranteeing comprehensive compliance and reducing legal vulnerabilities. | Yes | Yes | Proprietary | |
| Copyright statements | Yes | Yes | Yes | |
| Attribution notices | Yes | Limited | Limited | |
Vulnerabilities SCANOSS pinpoints known vulnerabilities within your software by scanning for open-source components and matching them against vulnerability databases. With snippet-level precision, it ensures thorough detection, safeguarding your software from potential security threats. | Yes | Yes | Yes | |
Dependencies SCANOSS identifies both declared and undeclared dependencies in your software. It detects components listed in dependency files and, crucially, uncovers hidden dependencies by scanning for included component files and snippets, providing a comprehensive view of your software's composition. | Yes | Yes | Yes | |
| Cryptographic Algorithms (ECCN) | Yes | No | No | |
| Health metrics | Yes | No data | Yes | |
Service Quality SCANOSS offers a security quality functionality that utilizes Semgrep to evaluate every component in its extensive knowledgebase. It identifies deviations from established good practice security rules, ensuring components adhere to top-notch security standards and helping users maintain a secure software environment. | Yes. Static Code Analysis data on entire knowledgebase | Yes | Yes | |
| Code Quality Metrics | Yes | Yes | Yes | |
| Reporting format | SPDX and CycloneDX | SPDX and CycloneDX | Proprietary and SPDX | |
| Binary Analysis | Yes | Yes | Yes | |
ARCHITECTURE | Tool transparency | Yes | Yes | Closed-source |
| On-premise deployment | Yes | Yes | Yes | |
Offline On-premise deployment SCANOSS's on-premise deployment offers unparalleled security and privacy by operating in complete isolation. This ensures that sensitive data never leaves the organization's infrastructure, providing the utmost assurance in data protection and compliance with stringent privacy standards. | Yes + Zero visibility | Yes | Requires access | |
| API-centric | API/centric | N/A | Partial/limited API functionality | |
| Portable UI | Multiplatform app | Server side applications | Server side applications | |
| Command Line Interface (CLI) | Yes | Yes | Limited functionality | |
| Air-gap scanning | Yes | No | Limited to 5Gb | |
| Policy Manager | Relies on third-party tools | Yes | Built-in | |
CI/CD | Webhook availability | Yes | N/A | Yes, with limitations |
| Github app | Yes | No | No | |
| Always on-SBOM (as part of revision control) | Yes | No | No | |
OSS DETECTION | Snippet detection SCANOSS's snippet-level detection is not only a de-facto standard adopted by leading SCA solutions like FOSSlight, FOSSology, ORT, and TrustSource, but it's also pivotal for organizations to gain the same visibility as any individual in the open-source community. By leveraging SCANOSS, entities ensure they view and assess open-source integrations with the same depth and clarity as community insiders, guaranteeing informed decisions and comprehensive compliance. | Yes | No | Limited |
| Snippet detection quality | Language-agnostic | Not available | Limited | |
| Snippet scanning openness | Open Source | No | Proprietary | |
| Declared Component detection | Yes | Yes | Yes | |
Undeclared Component detection Undeclared component detection identifies software elements not explicitly listed in project documentation. Many companies only assess declared components, leading to a false sense of security. True protection requires uncovering what's hidden, ensuring comprehensive compliance and risk management. | Yes | No | Limited | |
VENDOR LOCK-IN | Revenue model | Data provider | Support | Software vendor |
| Open Source Software | 100% Open Source | Yes | Propietary | |
| SBOM / Data import | Yes | Yes | From own legacy | |
| File-level identification exportation | Yes | N/A | Not available | |
| Access to free product offering | Yes | Yes | Limited | |