{"id":51572357,"url":"https://github.com/trustedoss/trusca","last_synced_at":"2026-07-10T20:31:51.900Z","repository":{"id":354547431,"uuid":"1223212292","full_name":"trustedoss/trusca","owner":"trustedoss","description":"Self-hosted, open-source SCA portal — vulnerability (CVE), license compliance, and SBOM management in one UI. Black Duck/Snyk-class capabilities, Apache-2.0.","archived":false,"fork":false,"pushed_at":"2026-07-02T14:01:30.000Z","size":19342,"stargazers_count":1,"open_issues_count":3,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T14:13:56.727Z","etag":null,"topics":["cyclonedx","dependency-scanning","devsecops","fastapi","license-compliance","react","sbom","sca","security","self-hosted","spdx","supply-chain-security","trivy","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://trustedoss.github.io/trusca/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedoss.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-28T05:35:12.000Z","updated_at":"2026-07-02T14:04:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/trustedoss/trusca","commit_stats":null,"previous_names":["trustedoss/trustedoss-portal","trustedoss/trusca"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/trustedoss/trusca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Ftrusca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Ftrusca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Ftrusca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Ftrusca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedoss","download_url":"https://codeload.github.com/trustedoss/trusca/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Ftrusca/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35343135,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-10T02:00:06.465Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","dependency-scanning","devsecops","fastapi","license-compliance","react","sbom","sca","security","self-hosted","spdx","supply-chain-security","trivy","vulnerability-management"],"created_at":"2026-07-10T20:31:51.818Z","updated_at":"2026-07-10T20:31:51.887Z","avatar_url":"https://github.com/trustedoss.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs-site/static/img/logo.png\" width=\"72\" height=\"72\" alt=\"TRUSCA\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eTRUSCA\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\u003cem\u003eTrustedOSS SCA — open-source software composition analysis\u003c/em\u003e\u003c/p\u003e\n\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![Release](https://img.shields.io/badge/release-v0.12.0-0f766e.svg)](CHANGELOG.md)\n[![Docs](https://img.shields.io/badge/docs-trustedoss.github.io-0f172a.svg)](https://trustedoss.github.io/trusca/)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13060/badge)](https://www.bestpractices.dev/projects/13060)\n\n\u003e Open-source enterprise SCA portal — manage CVEs, license compliance, and SBOMs in one self-hosted UI.\n\n**TRUSCA** — the SCA tool of the [TrustedOSS](https://trustedoss.github.io/) initiative — is an Apache-2.0 licensed, self-hosted alternative to commercial Software Composition Analysis (SCA) products. It unifies vulnerability tracking (CVE), license compliance, and Software Bill of Materials (SBOM) management for engineering and legal teams.\n\n\u003e **🔭 Live demo:** *Coming soon.* A hosted read-only demo will be published shortly; until then you can run a local read-only demo with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trusca/docs/installation/live-demo).\n\n---\n\n## Why TRUSCA\n\n- **Self-hosted, no vendor lock-in.** Apache-2.0, deployable via `docker-compose` or Helm. No per-seat licensing.\n- **Unified risk view.** CVEs, licenses, and SBOM in one project page — no context switching.\n- **CI/CD native.** REST API + GitHub/GitLab webhooks + build-blocking gate (Critical CVE / forbidden license → exit 1).\n- **Enterprise-grade workflows.** Component approval, license obligations + auto-NOTICE generation, append-only audit log, RBAC.\n- **Internationalized from day one.** English and Korean UI — and this documentation — shipped together.\n\n![Project list](docs-site/static/img/screenshots/user-projects-list.png)\n*Project list — risk roll-up across every scanned project.*\n\n![Vulnerabilities](docs-site/static/img/screenshots/user-vulns-list.png)\n*Vulnerability list — CVEs from Trivy's unified DB (NVD + OSV + GHSA + EPSS + KEV) with a 7-state VEX triage workflow.*\n\n![SBOM export](docs-site/static/img/screenshots/user-sbom-tab.png)\n*SBOM tab — CycloneDX and SPDX export in JSON, XML, and Tag-Value.*\n\n![Admin health](docs-site/static/img/screenshots/admin-health-cards.png)\n*Admin System Health — service status, scan queue, disk, and Trivy DB freshness at a glance.*\n\n## Feature highlights\n\n- Component detection across 30+ language ecosystems (cdxgen, CycloneDX generator), with direct vs. transitive dependency-graph depth\n- Dynamic per-environment scanning (opt-in, on-prem) — `SCAN_EXECUTOR=local_docker` launches a per-environment cdxgen sidecar for toolchains the worker does not carry; closes the Android gap (no SDK in the worker → 0 components) by routing to the Android SDK image. See the [admin guide](https://trustedoss.github.io/trusca/docs/admin-guide/dynamic-scan-executor)\n- License classification with allowed / conditional / forbidden tiers, scored against a fixed classification catalog (dynamic per-team policy editing is on the [roadmap](ROADMAP.md))\n- Vulnerability detection via Trivy's unified DB (NVD + OSV + GitHub Advisory + EPSS + KEV) with weekly DB refresh, automatic re-detection of new CVEs, 7-state VEX triage, EPSS prioritization (column / sort / filter / policy-gate threshold), and per-finding `fixed_version`\n- Container image scanning for OS-package CVEs (Trivy)\n- SBOM export — CycloneDX (JSON/XML) + SPDX (JSON/Tag-Value), byte-stable; VEX export **and** VEX consumption (import OpenVEX / CycloneDX VEX to auto-suppress findings)\n- SBOM ingest — upload a CycloneDX or SPDX SBOM your own tooling produced (`POST /v1/projects/{id}/sbom-ingest`); TRUSCA scores its conformance (pass/warn/fail, advisory) and matches CVEs without cloning or building your source\n- Vulnerability report as PDF (`GET /v1/projects/{id}/vulnerability-report.pdf`); Excel and compliance-PDF reports are on the [roadmap](ROADMAP.md)\n- Obligations tracking + auto-generated `NOTICE` files (text / markdown / HTML)\n- Component approval workflow (Pending → Under Review → Approved / Rejected)\n- Notifications: Email (SMTP), Slack, Microsoft Teams\n- Admin: user/team management, Trivy DB monitoring + weekly refresh, scan queue, disk dashboard, audit log\n- CI integrations: GitHub Action, GitLab CI template, Jenkinsfile example (Jenkins has no native plugin — the Jenkinsfile is a worked example)\n- Hosted OpenAPI reference on the docs site, a `/health/ready` schema-gated readiness probe, a read-only live-demo mode, and a production-grade Helm chart\n\n## Tech stack\n\n| Layer | Technology |\n|---|---|\n| Backend | FastAPI · SQLAlchemy 2.0 · Alembic |\n| Database | PostgreSQL 17 |\n| Async | Celery + Redis |\n| Frontend | React 18 · Vite · shadcn/ui · Tailwind CSS |\n| Server state | TanStack Query |\n| Client state | Zustand |\n| Realtime | WebSocket (scan progress streaming) |\n| Auth | FastAPI-Users (JWT + OAuth2) |\n| i18n | react-i18next |\n| Tests | pytest · Playwright (harness pattern) |\n| Docs | Docusaurus |\n| CI/CD | GitHub Actions |\n| Containers | Docker Compose (dev/prod split), Helm chart |\n\n## Quick start (development)\n\n```bash\ngit clone https://github.com/trustedoss/trusca.git\ncd trusca\ncp .env.example .env\n\ndocker-compose -f docker-compose.dev.yml up\n# → http://localhost:5173 (frontend) · http://localhost:8000/docs (API)\n```\n\nAfter roughly 30 seconds the dev containers (`postgres`, `redis`, `backend`, `celery-worker`, `frontend`) are healthy.\n\n### Other ways to run it\n\n- **Production (Docker Compose)** — use the bundled `docker-compose.yml` (Traefik + Let's Encrypt). See the [installation guide](https://trustedoss.github.io/trusca/docs/installation/docker-compose).\n- **Production (Kubernetes / Helm)** — the production-grade chart (`charts/trustedoss`) ships bundled-or-external PostgreSQL \u0026 Redis, an Ingress with cert-manager TLS, and a migration Job. See the [Helm / Kubernetes guide](https://trustedoss.github.io/trusca/docs/installation/helm).\n- **Read-only live demo** — run any deploy with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trusca/docs/installation/live-demo).\n- **API reference** — the hosted OpenAPI reference is at [`/reference/api`](https://trustedoss.github.io/trusca/reference/api).\n\n## Repository layout\n\n```\ntrusca/\n├── apps/\n│   ├── backend/         FastAPI app (api, core, models, services, tasks, integrations)\n│   └── frontend/        React + Vite + shadcn/ui app\n├── charts/trustedoss/   Helm chart\n├── docs-site/           Docusaurus documentation site (EN/KO)\n├── actions/scan/        GitHub Actions composite action — trigger + gate a CI build\n├── scripts/             install / upgrade / backup / restore\n└── .github/             workflows, issue templates, PR template, CODEOWNERS\n```\n\n## Documentation\n\n- **[Documentation site](https://trustedoss.github.io/trusca/)** — install, scan, operate, and integrate (English + Korean)\n- [`ROADMAP.md`](ROADMAP.md) — public roadmap\n- [`CHANGELOG.md`](CHANGELOG.md) — release history\n\n### For contributors\n\n- [`CONTRIBUTING.md`](CONTRIBUTING.md) — local setup, conventions, and the PR process\n- [`GOVERNANCE.md`](GOVERNANCE.md) — decision-making model and maintainer responsibilities\n- [`MAINTAINERS.md`](MAINTAINERS.md) — current maintainers and areas of ownership\n- [`SUPPORT.md`](SUPPORT.md) — where to ask questions and report problems\n\n## Contributing\n\nContributions are welcome — code, documentation, translations, bug reports, and design feedback. Start with [`CONTRIBUTING.md`](CONTRIBUTING.md) for local setup and the PR process, and [`SUPPORT.md`](SUPPORT.md) if you have a question first. All participants are expected to follow the [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## SCA self-scan\n\n[![SCA self-scan](https://github.com/trustedoss/trusca/actions/workflows/sca-self.yml/badge.svg)](https://github.com/trustedoss/trusca/actions/workflows/sca-self.yml)\n\nThe portal dog-foods its own toolchain. A nightly GitHub Actions workflow ([`.github/workflows/sca-self.yml`](.github/workflows/sca-self.yml)) generates a CycloneDX SBOM with cdxgen, runs Trivy against it, and auto-opens / closes a labelled GitHub issue when Critical CVEs appear in our dependency tree.\n\n## Security\n\nPlease do not open a public issue for an unpatched vulnerability. See [`SECURITY.md`](SECURITY.md) for the private disclosure process.\n\n## License\n\nApache License 2.0 — see [`LICENSE`](LICENSE) and [`NOTICE`](NOTICE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedoss%2Ftrusca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedoss%2Ftrusca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedoss%2Ftrusca/lists"}