Repository files navigation

A typical software project often reuses hundreds of third-party packages.License and packages, dependencies and origin information is not always easy tofind and not normalized: ScanCode discovers and normalizes this data for you.

Read more about ScanCode here:https://scancode-toolkit.readthedocs.io/.

Check out the code athttps://github.com/nexB/scancode-toolkit

Discover also:

• The ScanCode.io server project here:https://scancodeio.readthedocs.io
• The ScanCode Workbench project for visualization of scancode results data:https://github.com/nexB/scancode-workbench
• Other companion SCA projects for code origin, license and security analysishere:https://aboutcode.org

We run 30,000+ tests on each commit on multiple CIs to ensure a good platformcompabitility with multiple versions of Windows, Linux and macOS.

Azure	RTD Build	GitHub actions Docs	GitHub actions Release

• As astandalone command-line tool, ScanCode iseasy to install, run,and embed in your CI/CD processing pipeline.It runs onWindows, macOS, and Linux.
• ScanCode isused by several projects and organizations such astheEclipse Foundation,OpenEmbedded.org,theFSFE,theFSF,OSS Review Toolkit,ClearlyDefined.io,RedHat Fabric8 analytics,and many more.
• ScanCode detects licenses, copyrights, package manifests, direct dependencies,and more both insource code andbinary files and is considered as thebest-in-class and reference tool in this domain, re-used as the core tools forsoftware composition data collection by several open source tools.
• ScanCode provides themost accurate license detection engine and does afull comparison (also known as diff or red line comparison) between a databaseof license texts and your code instead of relying only on approximate regexpatterns or probabilistic search, edit distance or machine learning.
• Written in Python, ScanCode iseasy to extend with plugins to contributenew and improved scanners, data summarization, package manifest parsers, andnew outputs.
• You can save your scan results asJSON, YAML, HTML, CycloneDX or SPDX oreven create your own format with Jinja templates.
• You can also organize and run ScanCode server-side with thecompanionScanCode.io web appto organize and store multiple scan projects including scripted scanning pipelines.
• ScanCode output data can be easily visualized and analysed using theScanCode Workbench desktop app.
• ScanCode isactively maintained, has agrowing users and contributorscommunity.
• ScanCode is heavilytested with an automated test suite of over20,000 tests.
• ScanCode has an extensive and growing documentation.
• ScanCode can process packages, build manifest and lockfile formats to collectPackage URLs and extract metadata: Alpine packages, BUCK files, ABOUT files,Android apps, Autotools, Bazel, JavaScript Bower, Java Axis, MS Cab,Rust Cargo, Cocoapods, Chef Chrome apps, PHP Composer and composer.lock,Conda, CPAN, Debian, Apple dmg, Java EAR, WAR, JAR, FreeBSD packages,Rubygems gemspec, Gemfile and Gemfile.lock, Go modules, Haxe packages,InstallShield installers, iOS apps, ISO images, Apache IVY, JBoss Sar,R CRAN, Apache Maven, Meteor, Mozilla extensions, MSI installers,JavaScript npm packages, package-lock.json, yarn.lock, NSIS Installers,NuGet, OPam, Cocoapods, Python PyPI setup.py, setup.cfg, andseveral related lockfile formats, semi structured READMEfiles such as README.android, README.chromium, README.facebook, README.google,README.thirdparty, RPMs, Shell Archives, Squashfs images, Java WAR, Windowsexecutables and the Windows registryand a few more. Seeall available package parsersfor the exhaustive list.

See ourroadmapfor upcoming features.

The ScanCode documentation is hosted atscancode-toolkit.readthedocs.io.

If you are new to visualization of scancode results data, start with ournewcomer page.

If you want to compare output changes between different versions of ScanCode,or want to look at scans generated by ScanCode, review ourreference scans.

Other Important Documentation Pages:

• Asynopsisof ScanCode command line options.
• Tutorials on:
  • How to run a scan
  • How to visualize scan results
• An exhaustive list ofall available options
• Documentation onContributing to Code Development
• Documentation onPlugin Architecture
• FAQ

See alsohttps://aboutcode.org for related companion projects and tools.

Before installing ScanCode make sure that you have installed the prerequisitesproperly. This means installing Python 3.13 for x86/64 architectures.We support Python 3.10, 3.11, 3.12 and 3.13.

Seeprerequisitesfor detailed information on the support platforms and Python versions.

There are a few common ways toinstall ScanCode.

• **Installation as an application: Install Python 3.13, download a release archive, extract and run**.This is the recommended installation method.
• Development installation from source code using a git clone
• Development installation as a library with "pip install scancode-toolkit"[Note that this is not supported on arm64 machines]
• Run in a Docker container with a git clone and "docker run"
• In Fedora 40+ you can dnf install scancode-toolkit

After ScanCode is installed successfully you can run an example scan printed on screen as JSON:

scancode -clip --json-pp - samples

Follow theHow to Run a Scantutorial to perform a basic scan on thesamples directory distributed bydefault with ScanCode.

See more command examples:

scancode --examples

SeeHow to select what will be detected in a scanandHow to specify the output formatfor more information.

You can also refer to thecommand line options synopsisand an exhaustive list ofall available command line options.

By default ScanCode does not extract files from tarballs, zip files, andother archives as part of the scan. The archives that exist in a codebasemust be extracted before running a scan: extractcode is a bundled utilitybehaving as a mostly-universal archive extractor. For example, this command willrecursively extract the mytar.tar.bz2 tarball in the mytar.tar.bz2-extractdirectory:

./extractcode mytar.tar.bz2

Seeall extractcode optionsandhow to extract archives for details.

If you have a problem, a suggestion or found a bug, please enter a ticket at:https://github.com/nexB/scancode-toolkit/issues

For discussions and chats, we have:

• an official Gitter channel forweb-based chats.Gitter is now accessible throughElementor anIRC bridge.There are other AboutCode project-specific channels available there too.
• The discussion channel forscancodespecifically aimed at users and developers using scancode-toolkit.

• https://github.com/aboutcode-org/scancode-toolkit/releases
• https://github.com/aboutcode-org/scancode-toolkit.git
• https://pypi.org/project/scancode-toolkit/
• https://github.com/aboutcode-org/scancode-thirdparty-src.git
• https://github.com/aboutcode-org/scancode-plugins.git
• https://github.com/aboutcode-org/thirdparty-packages.git

• Apache-2.0 as the overall license
• CC-BY-4.0 for reference datasets (initially was in the Public Domain).
• Multiple other secondary permissive or copyleft licenses (LGPL, MIT,BSD, GPL 2/3, etc.) for third-party components and test suite code and data.

See the NOTICE file and the .ABOUT files that document the origin and license ofthe third-party code used in ScanCode for more details.

This project is funded, supported and sponsored by:

• Generous support and contributions from users like you!
• the European Commission NGI programme
• the NLnet Foundation
• the Swiss State Secretariat for Education, Research and Innovation (SERI)
• Google, including the Google Summer of Code and the Google Seasons of Doc programmes
• Mercedes-Benz Group
• Microsoft and Microsoft Azure
• AboutCode ASBL
• nexB Inc.

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 825322.

https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101069594.

https://nlnet.nl/project/Back2source/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101092990.

https://nlnet.nl/project/Back2source-next/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101092990.

https://nlnet.nl/project/FastScan/

This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101135429. Additionalfunding is made available by the Swiss State Secretariat for Education, Research and Innovation(SERI).

https://nlnet.nl/project/MassiveFOSSscan/

This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101069594.

https://nlnet.nl/project/purl2sym/