Scan your software with Software Composition Analysis

Use threat detection (powered by FOSSA) to scan your software for malware, vulnerabilities, secrets, and more before publicly releasing your software.

Prerequisites

Software Trust Manager client tools (version 1.39.0 or higher)
Secure your credentials
Add app.fossa.com to your approved list to prevent your firewall or proxy from blocking calls to FOSSA's cloud.
Before you run a scan, check out the source code repository
- Before running a scan, pull or clone the code from your version control system (GitLab, GitHub, Bitbucket) into your local environment or CI/CD runner.

Install FOSSA

Beispiel 1. Windows

Using PowerShell, use the following command:

Set-ExecutionPolicy Bypass -Scope Process -Force; iex  ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))

Using SCOOP, use the following command:

scoop install fossa

Beispiel 2. Linux (64-bit)

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Beispiel 3. macOS

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Create a project

Create a project to store all your related software scans, such as different versions of the same software.

You can create a project in Software Trust Manager or SMCTL:

Beispiel 4. Software Trust Manager

In the Software Trust menu, go to Account > Projects.
Select Add a project.

Complete the following fields:

Field	Description
Project name	Enter a unique name to identify the project.
Project alias	Enter a shortened version of the project name before this. Tipp Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.
Repository URL (optional)	Provide a link to relevant source code or binaries related to this project.
Documentation URL (optional)	Provide a link to documentation related to your repository.
Team This field appears when teams are enabled.	Select the team that works on this project.

Select Add.

Beispiel 5. SMCTL

Use the following command:

smctl scan project create <project name> <project alias>

Review the following command sample:

smctl scan project create project1 p1

Scan with Software Composition Analysis

To scan source code with FOSSA, use the command:

smctl scan fossa-scan --input <source code directory> --project <project alias> --scan-alias <scan alias>

Command sample:

smctl scan fossa-scan --input app/SB-Setup/test-project --version HEAD --project xyz --scan-alias scan1

Tipp

Refer to errors and solutions if you encounter an error.

View scan results

In the Software Trust menu, go to Threat detection > Threat detection.
Select the desired scan.
Assess your threat detection results.

In diesem Abschnitt:

Scan your software with Software Composition Analysis

Prerequisites

Install FOSSA

Create a project

Tipp

Scan with Software Composition Analysis

Tipp

View scan results

Suchresultat