OSSScan
Open Source License & Security Scanning
Public Beta
Open source scanning shouldn't mean reading reports about hundreds of CVEs and license findings. OSSScan creates the investigation facts that let Claude Code, GitHub Copilot, and other AI coding agents do the analysis for you, delivering a concise briefing on which vulnerabilities are actually exploitable in your application, which license findings create real risk, and what actions to take. You review conclusions, not noise.
BigBrainCorp builds software products. Like any development team, we needed to understand our open source exposure: which licenses imposed obligations on our distributions, and which dependency versions carried known vulnerabilities. Existing tools were expensive and produced long lists of potential issues that translated into weeks of developer time just to investigate; most of which turned out to be noise.
Our first instinct was to simply ask our AI coding agent to analyze the project and report any risk. What we found is that a bridge application was needed first. Before an AI agent can investigate intelligently, it needs structured facts: the full SBOM, licenses in use, and CVEs matched to the specific package versions in the project. Without that grounding, the agent is guessing. With it, the agent can reason about whether each reported issue is actually exploitable or obligating given how the code uses the package.
OSSScan is that bridge. It creates the structured facts, builds the investigation prompts, and enables a single sentence to your AI agent to turn a list of possibilities into a focused set of findings. Work that previously took weeks now takes minutes to hours. Read the full story.
The problem with open source compliance isn't a lack of data; it's too much of it, unstructured, with no clear signal on what matters. OSSScan closes that gap.
Points at your source folder and runs a full SBOM analysis, detecting every dependency, its license, CVE exposure, and risk classification across all ecosystems.
OSSScan bundles all the investigation facts (findings, risk rankings, source-file references, CVE context) into a ready-to-use AgentPrompt.md file. No prompt engineering required.
Tell Claude Code: "Open AgentPrompt.md and follow it exactly." Or in Copilot Chat (Agent mode): "Read the AgentPrompt.md file and follow it exactly." Both have been tested. The same instruction works in Cursor, Windsurf, and any other AI coding agent that can read files and take actions.
Your agent delivers a focused investigation report: exploitable CVEs, license obligations, files to change, actions to take. You decide, not triage.
Raw scan output is a list. OSSScan builds a structured picture, the kind of grounded, specific context that lets an AI agent give you actionable guidance instead of generic advice.
Known vulnerabilities are matched to your actual dependencies. Instead of a wall of CVEs, your AI agent gets the facts it needs to reason about which ones are exploitable given how your application uses the affected package.
Strong copyleft (GPL, AGPL) and weak copyleft (LGPL, MPL) dependencies called out with risk level, direct vs. transitive classification, and the source files that import them.
In Audit mode, OSSScan compares what a package declares against what its actual source files contain. Discrepancies, especially undeclared copyleft, are flagged explicitly.
For every copyleft dependency, OSSScan traces which files in your codebase import it, with line numbers, so an AI agent can give you precise remediation targets.
Unknown licenses are resolved via deps.dev, ClearlyDefined, and ScanCode before the output is generated. Your AI agent works from complete facts, not gaps.
Every license determination is annotated with how it was reached: Syft, registry lookup, or ScanCode scan. Your agent can cite sources, not just conclusions.
Every investigation, license or CVE, comes with a ready-to-use prompt. Copy it for a single deep-dive, or use Bulk export to bundle all your filtered investigations into one AgentPrompt.md and let your AI agent work through them all with a single command.
Each license or CVE finding in OSSScan has a Copy Prompt action. Paste it directly into Claude Code, Copilot Chat (Agent mode), or any other AI coding agent. The prompt includes the finding context, the relevant source-file references, and specific instructions for the agent. No prompt engineering on your part.
Use Bulk → License investigation requests or Bulk → CVE investigation requests OSSScan builds a single AgentPrompt.md containing every filtered investigation, structured, prioritized, and ready for your AI agent to work through end to end.
Open AgentPrompt.md and follow it exactly.
Read the AgentPrompt.md file in the active VS Code editor (this tab), and follow it exactly.
{
"no_material_copyleft_concern": [
{
"package": "jszip@3.10.1",
"licenses": ["MIT OR GPL-3.0-or-later"],
"reason": "OR expression; MIT (most permissive option) applies. No evidence
of GPL election. Package is a runtime dependency shipped in the
production bundle, but MIT is permissive with no copyleft obligations.
Only obligation is to include MIT copyright notice in distribution."
},
{
"package": "node-forge@1.3.2",
"licenses": ["BSD-3-Clause OR GPL-2.0"],
"reason": "OR expression; BSD-3-Clause applies. No evidence of GPL election.
Package is a transitive dependency with no direct imports in the
workspace. Obligations limited to copyright notice retention and
non-endorsement clause."
}
],
"review_required": [],
"likely_compliance_issue": []
}
{
"Not exploitable": [
{
"cve": "GHSA-2xpw-w6gg-jr37", "confidence": "high",
"reason": "urllib3 2.5.0 exists only in the Python .venv development
tooling. The project is a .NET 8 Azure Functions app with no Python
runtime code. The streaming decompression API is never called
at runtime."
},
{
"cve": "GHSA-x674-v45j-fwxw", "confidence": "high",
"reason": "CVE-2024-27086 explicitly affects only Xamarin Android and
.NET Android (MAUI) targets. This project targets net8.0 as an Azure
Functions application — the vulnerable Android-specific code paths
are never executed."
}
// ... 8 more, all high confidence, all not exploitable
],
"Needs further investigation": [
{
"cve": "GHSA-98g6-xh36-x2p7", "confidence": "medium",
"reason": "Microsoft.Data.SqlClient 5.1.1 is an indirect dependency via
EF Core SqlServer, and the application actively uses SQL Server
connections (AppDbContextFactory.cs, UseSqlServer). CVE-2024-0056
is a TLS bypass requiring network MitM (AC:H). TLS connection string
settings and network topology need verification."
},
{
"cve": "GHSA-m5vv-6r4h-3vj9", "confidence": "medium",
"reason": "Azure.Identity 1.10.2 is a direct dependency in DAL.csproj.
CVE-2024-35255 EoP via MSAL token caching requires local access.
Confirm whether managed identity is enabled. Upgrading to
Azure.Identity 1.11.4 resolves this and the related MSAL finding."
}
// ... 2 more requiring verification
],
"Exploitable": []
}
Choose the scan mode that matches what you need to know. A daily Light scan keeps your agent informed of drift. An Audit scan gives it the full picture for a release or acquisition review.
Fully offline. Runs Syft locally and produces a clean SBOM your agent can diff against yesterday's. Ideal for catching new dependencies before they accumulate.
Enriches unknown licenses via deps.dev, ClearlyDefined, and ScanCode so your agent isn't reasoning about gaps. Only package names and versions leave your machine.
Scans every package's actual source files and surfaces disagreements between declared and detected licenses. Gives your agent the strongest possible factual foundation for a full compliance briefing.
The clearest proof that a top-level license review is not enough came from our own development process.
Syft and Grype are permissively licensed. But their transitive dependencies are not.
Early in development, OSSScan bundled Syft and Grype directly. Before shipping, we ran a Deep scan of OSSScan itself. While both tools carry permissive top-level licenses, the Deep scan found copyleft-licensed packages several layers into their transitive dependency trees, obligations that would never appear in a surface-level review of their declared licenses.
We removed the bundled tools. OSSScan now provides installation instructions and users install them independently.
Bundling those packages would have created unintended IP obligations in OSSScan's own distribution. Removing them eliminated the risk entirely. Users retain full control over which versions they install, and OSSScan's own distribution stays clean.
A code review of your direct dependencies' licenses is not sufficient due diligence.
Copyleft obligations can hide several layers deep in a transitive dependency tree, inside packages that look permissive at the surface. This is exactly why OSSScan's Deep scan enriches every dependency, resolves every unknown license, and traces obligations all the way down the graph. It is the only way to know what you are actually distributing.
OSSScan is built for teams scanning unreleased, sensitive code. The investigation facts it generates are grounded in local analysis; your source never travels.
Enrichment calls send only package name, ecosystem, and version. No file contents, no directory structure, no SBOM payload.
No analytics, no crash reporting, no background services. OSSScan does not phone home. Ever.
Syft, Grype, and ScanCode run through a local monitoring proxy. Every outbound call is logged. Unexpected destinations are blocked by default.
Zero outbound calls in Light mode, suitable for air-gapped environments and the most sensitive codebases.
Code-signed with an Apple Developer ID and notarized by Apple. Gatekeeper verifies the binary is genuine before it runs.
License files are verified on-device using Ed25519 cryptography. No network call is needed on launch.
Download OSSScan, run a scan, and let your AI coding agent turn the findings into a focused briefing, so you make decisions instead of sifting data.