🔍 ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

A suite of tools to automate software compliance checks.

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

Evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, etc. With Chainloop, Security and Compliance teams can define policies, what evicence to receive and where to store it. Developers are shielded from this complexity by getting simple instructions on what to provide when instrumenting their CI/CD pipeline

A compilation of resources in the software supply chain security domain, with emphasis on open source

📊 ScanCode Workbench is a desktop app to review and conclude license and origin from code scans generated by ScanCode Toolkit.

This repo realizes the idea that OSS compliance activities will be less expensive by applying OSS principles

Curated list of security tools

A light-weight app to audit and inventory large codebases for open source license compliance.

Cool links, tools & papers related to Open Source Licensing

This repo contains license and copyright analysis results of open source packages. It further contains other license compliance relevant artifacts, which might be of value for others

See who wrote each line of code in your git repository with interactive reports.

A desktop workbench for OSS Review Toolkit result files.

A scalable server implementation of the OSS Review Toolkit.

DeltaCode: compare two codebase scans (from ScanCode) to detect significant changes.

bitbake layer repository for intergrating osselot into the build process

CLI for software license check

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Secure Software Supply Chain Lifecycle in Cybersecurity.

📝 Detect what license a project is distributed under

The guidance for the Open Source Component Management process consists of a generic architecture description, usage blueprints, a concept of the abstraction layer and a collection of use cases. It enables you to quickly match your organization's needs with available solutions and jump-start your process definition by providing templates.