Open-source engine with commercial-grade dataset
The SCANOSS engine is open-source. The OSSKB knowledge base catalogs fingerprints from 100M+ open-source files. Programs get transparency and customer extensibility without sacrificing dataset depth.
SCANOSS • Application security
SCANOSS SCA
SCANOSS SCA is open-source-first Software Composition Analysis backed by the OSSKB knowledge base of 100M+ open-source files. Multi-dimensional component identification combines manifest declarations, fingerprint matching, syntax tree parsing, and ML-based similarity scoring to catch declared and undeclared open-source code.
Merito sells SCANOSS SCA and operates the engine deployment, fingerprint calibration, license-policy authoring, and SBOM workflow that turn the open-source platform into a working supply-chain governance program.
- Best for
- AppSec leaders managing open-source dependency risk, Programs needing visibility into undeclared open-source components, Compliance leaders responding to license-audit and SBOM requirements
- Hosting
- SaaS / On-prem
- Time to value
- First repository scanning in one to two weeks. Fingerprint threshold calibration and license policy live in two to four weeks. Enterprise rollout in two to four months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-27
What it is
SCANOSS SCA in the enterprise stack
SCANOSS SCA is the open-source-first Software Composition Analysis platform. The engine is open-source and the commercial enterprise editions add support, scale, and governance features. Programs adopting SCANOSS get a transparent and customer-extensible engine without giving up the dataset depth that commercial SCA platforms provide.
Multi-dimensional component identification is the architectural decision that catches what manifest-only scanners miss. Component identification combines four techniques. Manifest declarations cover what package managers explicitly declare. Fingerprint matching against the OSSKB catalogs files against 100M+ open-source files. Syntax tree parsing identifies code patterns even when fingerprint matching alone is inconclusive. ML-based similarity scoring with confidence thresholds flags components that match the OSSKB at a similarity threshold the customer configures.
The OSSKB knowledge base is the practical asset. Fingerprints from more than 100 million open-source files match commercial-grade SCA datasets while remaining open-source. Continuous SBOM generation in SPDX and CycloneDX formats produces audit-ready evidence including the declaration status (declared, undeclared, similarity-matched) of each component.
Programs that adopt SCA without authoring policy generate volume that gets ignored. Merito's standard SCANOSS SCA rollout starts with the dependency baseline against the customer's existing repository inventory, then fingerprint threshold calibration on the customer's tolerance for false positives, then license-policy authoring against the customer's risk tolerance, then SBOM workflow integration into the audit-evidence path.
Ideal use cases
- Detection of undeclared open-source components beyond manifest declarations
- Continuous SBOM generation for compliance evidence
- License compliance and policy enforcement at PR-time
- Open-source-first SCA for organizations that value engine transparency
- Multi-dimensional component identification at enterprise scale
What it is best at
Where SCANOSS SCA earns its seat
Multi-dimensional component identification
Combines manifest declarations, fingerprint matching, syntax tree parsing, and ML-based similarity scoring. Catches undeclared components that manifest-only scanners miss entirely.
OSSKB depth at 100M+ files
The knowledge base catalogs fingerprints from more than 100 million open-source files. Continuous expansion keeps detection coverage current as new projects appear.
Continuous SBOM with declaration status
Continuous SBOM generation in SPDX and CycloneDX includes declaration status for each component (declared, undeclared, similarity-matched). Audit-ready evidence beyond what manifest-only SCA produces.
Core capabilities
SCANOSS SCA capabilities, grouped by outcome
Component identification
How SCANOSS SCA finds the open-source code your application uses.
Manifest declarations
Direct and transitive dependencies declared in major package managers (npm, Maven, NuGet, pip, gems, Go modules, Cargo, Composer).
OSSKB fingerprint matching
File-level fingerprint matching against 100M+ open-source files. Catches vendored and copy-pasted code that manifests do not declare.
Syntax tree parsing
Code pattern matching when fingerprints alone are inconclusive. Identifies components through structural similarity.
ML similarity scoring
Confidence-thresholded similarity matching for components that resemble known OSS but do not match exactly.
OSSKB knowledge base
The dataset that drives finding quality.
100M+ file fingerprints
Catalog of open-source files maintained by SCANOSS. Continuously expanding as new projects appear.
Open-source-first dataset
The OSSKB is part of the open-source ecosystem. Customers gain transparency on the data SCA decisions are made against.
Policy and SBOM
Where SCANOSS SCA findings become enforced policy and audit evidence.
License-compliance policy
Permissive, copyleft, and dual-license categorization with policy enforcement at PR-time and build-gate.
Continuous SBOM generation
SPDX and CycloneDX SBOMs produced continuously as the dependency surface changes. Each component carries declaration status.
Build-gate enforcement
Policy violations gate CI/CD builds. Block-on-introduce policy stops new vulnerabilities while triage works the legacy backlog.
Integration
How findings reach developers and the SBOM workflow.
SCM integration
Native PR-time scanning across GitHub, GitLab, Azure DevOps, and Bitbucket.
CI/CD plugin coverage
Build-gate scanning across major CI platforms.
Snippet Detection pairing
Findings flow into the same console as SCANOSS Snippet Detection results for vendored and AI-generated code.
REST API extensibility
Custom integrations into proprietary build systems and audit-evidence reporting.
Where it fits in the stack
How SCANOSS SCA connects to the rest of your landscape
SCANOSS platform (native)
Native- SCANOSS Snippet DetectionSnippet-level matching results consolidate with SCA findings under the same console.
- OSSKB100M+ file fingerprint dataset that drives component identification.
CI/CD and registries (certified)
Certified- GitHub, GitLab, Azure DevOps, BitbucketNative SCM integrations with PR-time scanning.
- Jenkins, GitHub Actions, GitLab CI, Azure Pipelines, Bitbucket PipelinesPR-time and build-gate scanning with native CI plugins.
- npm, Maven, NuGet, pip, gems, Go modules, Cargo, ComposerDirect and transitive dependency identification across major package ecosystems.
- Jira, ServiceNow, Azure BoardsFindings flow into ticketing as trackable work items.
Custom integrations
Custom- Internal artifact pipelinesREST and webhook integration for non-standard build systems.
- Custom license-policy authoringPer-customer license categories tied to legal review processes.
- Internal compliance reportingCustomer-specific evidence packages for PCI 4.0, EU CRA, executive-order software supply chain audits.
Deployment and implementation
How it rolls out
- Hosting
- SaaS / On-prem (SCANOSS SaaS, Customer-controlled (commercial enterprise edition on-prem))
- Implementation complexity
- Moderate
- Typical time to value
- First repository scanning in one to two weeks. Fingerprint threshold calibration and license policy live in two to four weeks. Enterprise rollout in two to four months.
- Prerequisites
- Repository and package-manager inventory
- License-tolerance policy decision
- Fingerprint threshold preference
- SBOM consumption workflow
- What Merito usually handles
- SCANOSS SCA deploys as SaaS or on-prem. Commercial enterprise editions add support, scale, and governance on top of the open-source engine. Merito handles deployment, fingerprint threshold calibration, license policy authoring, SBOM workflow setup, and the operating model that consumes the consolidated dependency backlog.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- SCANOSS SCA is licensed as commercial enterprise edition on top of the open-source engine. Pricing scales with application count, scan volume, and feature breadth. SaaS and on-prem deployment shapes are sold separately. Merito sells the license and scopes deployment, fingerprint calibration, license policy authoring, and SBOM workflow as separately priced services.
- Editions and modules
SCANOSS Open-Source Edition
Community open-source engine for self-managed deployments. Includes basic fingerprint matching against the OSSKB.
Best for: Pilot programs, OSS-first organizations, or programs with internal capacity to operate open-source AppSec tools.
SCANOSS Commercial Enterprise
Adds support, scale, governance, and managed updates. SaaS and on-prem deployment shapes available.
Best for: Enterprise programs needing predictable SLAs and managed operations.
- Common expansion areas
- Add SCANOSS Snippet Detection for vendored and AI-generated code coverage
- Calibrate fingerprint thresholds for the customer-specific tolerance
- Author custom license-policy rules tied to legal-team review
- Extend SBOM workflow into upstream and downstream supply-chain handoffs
Merito services
How Merito helps you win with SCANOSS SCA
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
SCANOSS SCA Implementation
Engine deployment, fingerprint threshold calibration, license-compliance policy authoring, and SBOM workflow setup.
Explore service02MAPS Assessment
Supply-chain program scoping for SCANOSS adoption alongside Black Duck SCA, Snyk Open Source, and Sonatype Lifecycle.
Explore service03DevOps Consulting
Build-gate SCA in GitHub, GitLab, Azure DevOps, and Bitbucket with package manager wiring.
Explore service04CRAFT Enablement
Developer-facing OSS approval workflows and AppSec champion programs.
Explore service05Premium Support
Named engineer, priority SLAs, and release-window coverage for SCANOSS SCA in production.
Explore service06Managed Services
Long-term run support including ongoing fingerprint calibration, license policy maintenance, and SBOM workflow operations.
Explore service07Training and Enablement
Role-based training for AppSec architects, security engineers, and developers using SCANOSS SCA findings.
Explore serviceSCANOSS SCA licensing
Buy SCANOSS SCA from the partner that calibrates the fingerprints and authors the policies.
Open-source-first SCA produces signal when fingerprints are calibrated and policies are authored. Buy SCANOSS through Merito and get the deployment, calibration, and SBOM workflow together.
Merito point of view
Open-source engine plus 100M+ file knowledge base. Calibration is the work.
SCANOSS's open-source engine is the practical differentiator for organizations that value transparency and customer extensibility. The OSSKB knowledge base depth at 100M+ files matches commercial-grade SCA platforms while the engine remains open-source. Programs that adopt SCANOSS for the open-source positioning still need the commercial enterprise edition for production AppSec because predictable SLAs and managed operations matter.
Multi-dimensional component identification is the architecture that catches undeclared components. Programs running manifest-only SCA miss the categories SCANOSS catches because they cannot see vendored code, copy-pasted snippets, or AI-generated open-source. The trade-off is calibration. Fingerprint thresholds must be tuned to the customer's tolerance for false positives.
Continuous SBOM generation including declaration status is the practical compliance asset. Programs responding to executive-order software supply chain expectations or PCI 4.0 software inventory requirements use the SBOM workflow as the audit-evidence path. Manifest-only SCA produces SBOMs that miss the undeclared components SCANOSS catches.
What buyers usually underestimate
- Adopting SCANOSS open-source edition for production AppSec without the commercial enterprise SLAs
- Skipping fingerprint threshold calibration, which produces either silent false negatives or noisy false positives
- Treating SBOM generation as automatic without authoring license policy
- Wiring SCANOSS into CI/CD without a paired triage operating model
- Not adopting Snippet Detection alongside SCA, leaving the AI-generated and vendored code surface uncovered
Related from Merito
Continue exploring SCANOSS SCA on Merito
Related solutions
Related services
Related products
Frequently Asked Questions
SCANOSS SCA FAQs
Consultation request
Talk to Merito about SCANOSS SCA
Share your dependency surface, current SCA tooling, and SBOM workflow needs. A Merito SCANOSS specialist follows up within one business day.
Multi-dimensional identification
Catches undeclared components
Manifest declarations plus fingerprint matching plus syntax parsing plus ML similarity scoring. Catches what manifest-only SCA misses entirely.
OSSKB knowledge base
100M+ open-source file fingerprints
Dataset depth matches commercial-grade SCA while the engine remains open-source.
Next step
Catch undeclared open-source code before the next audit.
An SCANOSS SCA engagement with Merito starts with the dependency baseline against the customer's repository inventory. Multi-dimensional identification surfaces what manifest-only SCA misses.