{"id":35640884,"url":"https://github.com/scanoss/scanoss.py","last_synced_at":"2026-03-05T18:05:11.854Z","repository":{"id":43336111,"uuid":"377273245","full_name":"scanoss/scanoss.py","owner":"scanoss","description":"The SCANOSS python package providing a simple, easy to consume library for interacting with SCANOSS APIs/Engine.","archived":false,"fork":false,"pushed_at":"2026-03-03T09:33:56.000Z","size":1440,"stargazers_count":39,"open_issues_count":8,"forks_count":24,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-03-03T12:56:43.724Z","etag":null,"topics":["software-composition-analysis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scanoss.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-06-15T19:29:33.000Z","updated_at":"2026-02-24T08:51:41.000Z","dependencies_parsed_at":"2024-02-01T11:38:31.216Z","dependency_job_id":"45183fde-b0eb-4c92-b6e4-2a81753e7cff","html_url":"https://github.com/scanoss/scanoss.py","commit_stats":{"total_commits":190,"total_committers":6,"mean_commits":"31.666666666666668","dds":0.08421052631578951,"last_synced_commit":"3eabf72ae28a5a0b5f1a777983282c6ca21df11c"},"previous_names":[],"tags_count":123,"template":false,"template_full_name":null,"purl":"pkg:github/scanoss/scanoss.py","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fscanoss.py","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fscanoss.py/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fscanoss.py/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fscanoss.py/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scanoss","download_url":"https://codeload.github.com/scanoss/scanoss.py/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fscanoss.py/sbom","scorecard":{"id":476744,"data":{"date":"2025-08-11","repo":{"name":"github.com/scanoss/scanoss.py","commit":"fdc02afa768db6f5bc51909b3f4f6bfc6b71b6d3"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.3,"checks":[{"name":"Code-Review","score":5,"reason":"Found 7/13 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/container-publish-ghcr.yml:20","Warn: no topLevel permission defined: .github/workflows/container-local-test.yml:1","Warn: no topLevel permission defined: .github/workflows/container-publish-ghcr.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-local-test.yml:14","Warn: no topLevel permission defined: .github/workflows/python-publish-pypi.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-publish-testpypi.yml:7","Warn: topLevel 'checks' permission set to 'write': .github/workflows/scanoss.yml:13","Info: topLevel 'actions' permission set to 'read': .github/workflows/scanoss.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/scanoss.yml:11","Warn: no topLevel permission defined: .github/workflows/version-tag.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.30.0 not signed: https://api.github.com/repos/scanoss/scanoss.py/releases/234196718","Warn: release artifact v1.29.0 not signed: https://api.github.com/repos/scanoss/scanoss.py/releases/232429451","Warn: release artifact v1.26.2 not signed: https://api.github.com/repos/scanoss/scanoss.py/releases/227450050","Warn: release artifact v1.26.1 not signed: https://api.github.com/repos/scanoss/scanoss.py/releases/227068432","Warn: release artifact v1.26.0 not signed: https://api.github.com/repos/scanoss/scanoss.py/releases/226715230","Warn: release artifact v1.30.0 does not have provenance: https://api.github.com/repos/scanoss/scanoss.py/releases/234196718","Warn: release artifact v1.29.0 does not have provenance: https://api.github.com/repos/scanoss/scanoss.py/releases/232429451","Warn: release artifact v1.26.2 does not have provenance: https://api.github.com/repos/scanoss/scanoss.py/releases/227450050","Warn: release artifact v1.26.1 does not have provenance: https://api.github.com/repos/scanoss/scanoss.py/releases/227068432","Warn: release artifact v1.26.0 does not have provenance: https://api.github.com/repos/scanoss/scanoss.py/releases/226715230"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/container-local-test.yml:19"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":0,"reason":"23 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2013-22 / GHSA-27x4-j476-jp5f","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5","Warn: Project is vulnerable to: PYSEC-2022-43012 / GHSA-r9hx-vwmv-q579","Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6","Warn: Project is vulnerable to: PYSEC-2018-24 / GHSA-2rcm-phc9-3945","Warn: Project is vulnerable to: PYSEC-2013-31 / GHSA-6748-36qp-fx6r","Warn: Project is vulnerable to: PYSEC-2018-23 / GHSA-p28m-34f6-967q","Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: PYSEC-2023-207 / GHSA-gwvm-45gx-3cf8","Warn: Project is vulnerable to: PYSEC-2019-133 / GHSA-mh33-7rrq-662w","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24","Warn: Project is vulnerable to: PYSEC-2018-32 / GHSA-www2-v7xj-xrc6","Warn: Project is vulnerable to: PYSEC-2021-108"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-local-test.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-local-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish-ghcr.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/container-publish-ghcr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-local-test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-local-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-local-test.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-local-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-local-test.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-local-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-publish-pypi.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-pypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-testpypi.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-testpypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-testpypi.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-testpypi.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-publish-testpypi.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-testpypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-testpypi.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-testpypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish-testpypi.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/python-publish-testpypi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scanoss.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/scanoss.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scanoss.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/scanoss.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/version-tag.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/version-tag.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/version-tag.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/scanoss/scanoss.py/version-tag.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:9","Warn: containerImage not pinned by hash: Dockerfile:49","Warn: containerImage not pinned by hash: Dockerfile:72","Warn: containerImage not pinned by hash: Dockerfile:83","Warn: pipCommand not pinned by hash: Dockerfile:29","Warn: pipCommand not pinned by hash: Dockerfile:30","Warn: pipCommand not pinned by hash: Dockerfile:31","Warn: pipCommand not pinned by hash: Dockerfile:35-40","Warn: downloadThenRun not pinned by hash: Dockerfile:64","Warn: pipCommand not pinned by hash: .github/workflows/container-local-test.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/container-local-test.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/container-publish-ghcr.yml:37","Warn: pipCommand not pinned by hash: .github/workflows/container-publish-ghcr.yml:38","Warn: pipCommand not pinned by hash: .github/workflows/lint.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/lint.yml:25","Warn: pipCommand not pinned by hash: .github/workflows/python-local-test.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/python-local-test.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/python-local-test.yml:63","Warn: pipCommand not pinned by hash: .github/workflows/python-local-test.yml:77","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-pypi.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-pypi.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-pypi.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-pypi.yml:105","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:73","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:75","Warn: pipCommand not pinned by hash: .github/workflows/python-publish-testpypi.yml:93","Info:   0 out of  19 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  19 third-party GitHubAction dependencies pinned","Info:   0 out of   5 containerImage dependencies pinned","Info:   3 out of  27 pipCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-19T15:29:57.881Z","repository_id":43336111,"created_at":"2025-08-19T15:29:57.881Z","updated_at":"2025-08-19T15:29:57.881Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30141353,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T16:58:46.102Z","status":"ssl_error","status_checked_at":"2026-03-05T16:58:45.706Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["software-composition-analysis"],"created_at":"2026-01-05T11:18:15.496Z","updated_at":"2026-03-05T18:05:11.841Z","avatar_url":"https://github.com/scanoss.png","language":"Python","readme":"# SCANOSS Python Library\nThe SCANOSS python package provides a simple, easy to consume library for interacting with SCANOSS APIs/Engine.\n\n[![Build/Test Local Package](https://github.com/scanoss/scanoss.py/actions/workflows/python-local-test.yml/badge.svg)](https://github.com/scanoss/scanoss.py/actions/workflows/python-local-test.yml)\n[![Build/Test Local Container](https://github.com/scanoss/scanoss.py/actions/workflows/container-local-test.yml/badge.svg)](https://github.com/scanoss/scanoss.py/actions/workflows/container-local-test.yml)\n[![Publish Package - PyPI](https://github.com/scanoss/scanoss.py/actions/workflows/python-publish-pypi.yml/badge.svg)](https://github.com/scanoss/scanoss.py/actions/workflows/python-publish-pypi.yml)\n[![Publish GHCR Container](https://github.com/scanoss/scanoss.py/actions/workflows/container-publish-ghcr.yml/badge.svg)](https://github.com/scanoss/scanoss.py/actions/workflows/container-publish-ghcr.yml)\n\n# Installation\nTo install (from [pypi.org](https://pypi.org/project/scanoss)), please run:\n```bash\npip3 install scanoss\n```\n\n## Usage\nThe package can be run from the command line, or consumed from another Python script.\n\nFor more details, please look at [PACKAGE.md](PACKAGE.md).\n\n## Container Usage\nTo leverage the CLI from within a container, please look at [GHCR.md](GHCR.md).\n\n## Development\nBefore starting with development of this project, please read our [CONTRIBUTING](CONTRIBUTING.md) and [CODE OF CONDUCT](CODE_OF_CONDUCT.md).\n\n### Requirements\nPython 3.9 or higher.\n\nThe dependencies can be found in the [requirements.txt](requirements.txt) and [requirements-dev.txt](requirements-dev.txt) files.\n\nTo install dependencies, run:\n```bash\npip3 install -r requirements.txt\npip3 install -r requirements-dev.txt\n```\n\nTo enable dependency scanning, an extra tool is required: scancode-toolkit\n```bash\npip3 install -r requirements-scancode.txt\n```\n\n### Pre-commit Setup\nThis project uses pre-commit hooks to ensure code quality and consistency. To set up pre-commit, run:\n```bash\npip3 install pre-commit\npre-commit install\n```\n\nThis will install the pre-commit tool and set up the git hooks defined in the `.pre-commit-config.yaml` file to run automatically on each commit.\n\n### Devcontainer Setup\nTo simplify the development environment setup, a devcontainer configuration is provided. This allows you to develop inside a containerized environment with all necessary dependencies pre-installed.\n\nTo use the devcontainer setup:\n1. Install [Visual Studio Code](https://code.visualstudio.com/).\n2. Install the [Remote - Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension.\n3. Open the project in Visual Studio Code.\n4. Run \n```bash\ncp .devcontainer/devcontainer.example.json .devcontainer/devcontainer.json\n``` \n5. Update the `devcontainer.json` file with the desired settings.\n6. When prompted, reopen the project in the container.\n\nThis will build the container defined in the `.devcontainer` folder and open a new Visual Studio Code window connected to the container.\n\n### Package Development\nMore details on Python packaging/distribution can be found [here](https://packaging.python.org/overview/), [here](https://packaging.python.org/guides/distributing-packages-using-setuptools/), and [here](https://packaging.python.org/guides/using-testpypi/#using-test-pypi).\n\nIt is good practice to set up a Virtual Env ([venv](https://docs.python.org/3/library/venv.html)) to isolate and simplify development/testing.\nIf using PyCharm, please follow [these instructions](https://www.jetbrains.com/help/pycharm/creating-virtual-environment.html).\n\nIn order to develop/test a Python package, it is necessary to register the package locally. This can be done using the following command:\n```bash\npython3 setup.py develop --user\n```\nThere is also a [Makefile](Makefile) in the repository, which provide helpers to achieve this:\n```bash\nmake dev_setup\n```\nThe client now makes use of REST \u0026 gRPC. For gRPC specific environment variables please look [here](https://github.com/grpc/grpc/blob/master/doc/environment_variables.md).\n\n### Package Deployment\nPackaging the library for deployment is done using [setup](https://docs.python.org/3/distutils/setupscript.html).\n\n#### Versioning\nThe version of the package is defined in the [scanoss init](src/scanoss/__init__.py) file. Please update this version before packaging/releasing an update.\n\n#### Packaging\nTo package the library, please run:\n```bash\nmake dist\n```\n\n#### Deployment\nThis project uses [twine](https://twine.readthedocs.io/en/latest/) to upload packages to [pypi.org](https://pypi.org).\nIn order to run twine, a user needs to be registered with both [TestPyPI](https://test.pypi.org) and [PyPI](https://pypi.org).\nDetails for using TestPyPI can be found [here](https://packaging.python.org/guides/using-testpypi) and PyPI [here](https://packaging.python.org/guides/distributing-packages-using-setuptools/#uploading-your-project-to-pypi).\n\nOnce the credentials have been stored in $HOME/.pypirc, the following command can be run:\n```bash\nmake publish_test\n```\nThis will deploy the package to [TestPyPI](https://test.pypi.org/project/scanoss). Run some tests to verify everything is ok.\n\nThen deploy to prod:\n```bash\nmake publish\n```\nThis will deploy the package to [PyPI](https://pypi.org/project/scanoss).\n\nThe package will then be available to install using:\n```bash\npip3 install scanoss\n```\n\n##### GitHub Actions\nThere are a number of [workflows](.github/workflows) setup for this repository. They provide the following:\n* [Local build/test](.github/workflows/python-local-test.yml)\n  * Automatically triggered on pushes or PRs to main. Can also be run manually for other branches\n* [Local container build/test](.github/workflows/container-local-test.yml)\n  * Automatically triggered on pushes or PRs to main. Can also be run manually for other branches\n* [Publish to Test PyPI](.github/workflows/python-publish-testpypi.yml)\n  * Can be manually triggered to push a test version from any branch\n* [Publish to PyPI](.github/workflows/python-publish-pypi.yml)\n  * Build and publish the Python package to PyPI (triggered by v*.*.* tag)\n* [Publish container to GHCR](.github/workflows/container-publish-ghcr.yml)\n  * Build and publish the Python container to GHCR (triggered by v*.*.* tag)\n\n## Bugs/Features\nTo request features or alert about bugs, please do so [here](https://github.com/scanoss/scanoss.py/issues).\n\n## Changelog\nDetails of major changes to the library can be found in [CHANGELOG.md](CHANGELOG.md).\n\n## Background\nDetails about the Winnowing algorithm used for scanning can be found [here](WINNOWING.md).\n\n## Dataset License Notice\nThis application is licensed under the MIT License. In addition, it includes an unmodified copy of the OSADL copyleft license dataset ([osadl-copyleft.json](src/scanoss/data/osadl-copyleft.json)) which is licensed under the [Creative Commons Attribution 4.0 International license (CC-BY-4.0)](https://creativecommons.org/licenses/by/4.0/) by the [Open Source Automation Development Lab (OSADL) eG](https://www.osadl.org/).\n\n**Attribution:** A project by the Open Source Automation Development Lab (OSADL) eG. Original source: [https://www.osadl.org/fileadmin/checklists/copyleft.json](https://www.osadl.org/fileadmin/checklists/copyleft.json)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fscanoss.py","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscanoss%2Fscanoss.py","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fscanoss.py/lists"}