SCANOSS is an open source software risk intelligence platform that analyses source code to identify declared and undeclared open source usage. It generates accurate, standards-based SBOMs and provides structured insight into software composition, licensing, and security, primarily through a developer-first command-line interface. This page explains what SCANOSS does, how it works at a high level, and the architectural principles behind its security, data handling, and open source design.
SCANOSS identifies open source code used in software projects by analysing source code directly. This includes:
declared dependencies defined in manifests, and
undeclared usage such as embedded components, copied files, and reused code fragments.
By working from source code rather than dependency declarations alone, SCANOSS provides a more complete and verifiable view of software composition.The results are translated into software risk intelligence that helps teams understand not just what open source code is present, but also the associated licensing, security, and compliance implications.
SCANOSS operates by combining local scanning with reference data and integrated tooling:
Fingerprinting: A CLI tool examines source code locally and generates fingerprints based on file content.
Matching: Those fingerprints are compared against reference data from a large open source knowledge base maintained by SCANOSS.
Output: Identified results are assembled into standards-based SBOMs (e.g. SPDX, CycloneDX) and enriched with metadata that supports risk analysis.
The platform’s interfaces — including the Python CLI, REST API, and graphical workbench — let developers and tools consume this software intelligence where they need it.
The SCANOSS Engine is the core scanning engine that performs open source inventory operations. It compares fingerprints against a knowledge base and produces identification results, typically via a CLI invocation.
The LDB (Linked-list database) is a lightweight database format used by the SCANOSS Engine to store and query reference open source data efficiently. It is headless, read-only, and optimised for scanning workloads.
The scanoss-py Python package provides a CLI that developers use to run scans, extract fingerprints, produce SBOMs, and interact with SCANOSS APIs programmatically. It is one of the primary interfaces to the engine and scanning services.
The SBOM Workbench is a graphical user interface that connects to SCANOSS APIs to let users scan and audit source code. It supports interactive review of scan results and exporting SBOMs.
At the core of SCANOSS is a continuously maintained open source knowledge base built from publicly available open source projects.The knowledge base does not contain customer code. Instead, it stores:
fingerprints derived from known open source code,
component and version identifiers,
licence information,
and other metadata required to contextualise matches.
When SCANOSS runs locally, only derived fingerprints are compared against this reference data. This architecture enables accurate identification of open source usage without transferring or storing user source code.The knowledge base evolves continuously as new projects, versions, and metadata are added, ensuring that software intelligence remains current as the open source ecosystem changes.
SCANOSS is designed so that analysing software composition does not require exposing source code or trusting opaque processing.Source code never leaves the user’s environment. Fingerprints are computed locally, filenames are obfuscated, and only derived values are transmitted for analysis. No proprietary or sensitive code is uploaded or reconstructed.This design allows organisations to analyse both declared and undeclared open source usage while maintaining full control over intellectual property.
The scanning engine and fingerprinting algorithms used by SCANOSS are fully open source. This allows independent inspection of how detection works and how results are produced.All outputs use open standards such as SPDX and CycloneDX. SBOMs and analysis results remain portable and interoperable, avoiding vendor lock-in and supporting long-term reuse of software intelligence across tools and processes.
SCANOSS can be used as a hosted service or deployed on-premise.On-premise deployment allows organisations with strict security or regulatory requirements to run the platform entirely within their own infrastructure while retaining the same analysis capabilities and workflow integrations.
Modern software is assembled from many open source parts, often introduced incrementally and not always intentionally. “Know your Frankie” reflects the need to understand what code is actually present in a codebase, rather than relying solely on what is expected or declared.SCANOSS provides the software risk intelligence required to maintain that understanding as projects evolve, dependencies change, and code is reused over time.
