Two products are in scope. SCANOSS SCA (Software Composition Analysis with multi-dimensional component identification) and SCANOSS Snippet Detection (snippet-level fingerprint matching against the OSSKB knowledge base). Both products consume the same Open Source Software Knowledge Base of 100M+ open-source files. Merito sells both products and operates the engine deployment, fingerprint calibration, license policy authoring, and SBOM workflow.
SCANOSS portfolio
Open-source-first SCA, sold and operated by Merito.
SCANOSS SCA and Snippet Detection backed by the Open Source Software Knowledge Base (OSSKB) catalog of 100M+ open-source files. Detection covers declared dependencies plus the vendored, copy-pasted, and AI-generated code that manifest-only scanners miss.
Why Merito for SCANOSS
An SCANOSS engagement is fingerprint calibration, license policy authoring, and the OSS approval workflow. Merito is the team that does the work after the engine is deployed.
SCANOSS is the open-source-first SCA vendor. The engine is open-source and the commercial enterprise editions add support, scale, and governance features. Multi-dimensional component identification combines manifest declarations, fingerprint matching against the OSSKB, syntax tree parsing, and ML-based similarity scoring with confidence thresholds. The architecture catches undeclared open-source code that dependency-manifest-only scanners cannot see.
The OSSKB knowledge base contains fingerprints from more than 100 million open-source files. The dataset depth matches commercial-grade SCA platforms while the engine remains open-source and customer-extensible. Continuous SBOM generation in SPDX and CycloneDX formats produces audit-ready evidence including the declaration status of each component.
Snippet Detection extends SCA into the AI-generated and copy-pasted code surface that becomes more important as Copilot, Cursor, and Claude Code generate substantial portions of new code. A 2025 SCANOSS research study scanned 10,000 LLM-generated code samples against the OSSKB and found that approximately 30% matched at a 10% similarity threshold, evidence that undeclared open source slips into production through generative AI assistants.
Merito sells SCANOSS and operates the program around it. We deploy the engine, calibrate fingerprint thresholds against the customer's tolerance for false positives, author license-compliance policies, integrate scanning into CI/CD, and stand up the SBOM workflow that produces audit-ready evidence.
The SCANOSS toolchain
The SCANOSS open-source-first SCA portfolio Merito sells and operates
Open-source-first SCA
Two products that consume the same OSSKB knowledge base. SCA covers the dependency surface; Snippet Detection covers what the dependency surface cannot see.
SCA
SCANOSS SCA
Open-source-first Software Composition Analysis with multi-dimensional component identification. Manifest-declared and undeclared components both surface through fingerprint matching against the OSSKB.
See product pageSnippet detection
SCANOSS Snippet Detection
Snippet-level fingerprint matching against the OSSKB knowledge base of 100M+ open-source files. Detects vendored, copy-pasted, and AI-generated code that manifest-only SCA cannot see.
See product pageMerito services
Merito services across the SCANOSS portfolio
01
Implementation
Engine deployment (SaaS or on-prem), fingerprint threshold calibration, license-compliance policy authoring, and SBOM workflow setup.
02MAPS Assessment
Supply-chain program scoping for SCANOSS adoption alongside Black Duck SCA, Snyk Open Source, Sonatype Lifecycle, and Semgrep Supply Chain.
03DevOps Consulting
Build-gate SCA in GitHub, GitLab, Azure DevOps, and Bitbucket. Snippet Detection wiring into PR-time review.
04CRAFT Enablement
Developer-facing OSS approval workflows and AppSec champion programs.
05Premium Support
Named engineer, priority SLAs, and release-window coverage for SCANOSS programs Merito implements.
06Managed Services
Long-term run support including ongoing fingerprint calibration, license policy maintenance, and SBOM workflow operations.
07Training and Enablement
Role-based training for AppSec architects, developers, and compliance leaders using SCANOSS output.
08Staff Augmentation
Merito-placed AppSec engineers and SCANOSS specialists embedded on long-running programs.
SCANOSS licensing
Buy SCANOSS from the partner that calibrates the fingerprints and authors the policies.
Open-source-first SCA produces signal when the engine is calibrated and policies are authored. Buy SCANOSS through Merito and get the engine deployment, fingerprint calibration, and SBOM workflow together.
Related solutions
Where SCANOSS connects to the rest of the Merito program
Frequently Asked Questions
SCANOSS FAQs
Consultation request
Talk to Merito about SCANOSS
Share your open-source dependency surface and AI code-assistant adoption posture. A Merito SCANOSS specialist follows up within one business day.
OSSKB depth
100M+ open-source files
The Open Source Software Knowledge Base catalogs fingerprints from 100M+ open-source files, matching commercial-grade SCA datasets.
Snippet detection
Catches AI-generated and copy-pasted code
2025 SCANOSS research found 30% of LLM-generated code matched OSSKB at 10% similarity threshold.
Next step
Catch undeclared and AI-generated open-source code before it ships.
An SCANOSS engagement with Merito starts with fingerprint calibration against the customer's repository inventory. Programs running manifest-only SCA miss the categories SCANOSS catches.