OSSScan
Open Source License & Security Scanning
OSSScan operates with a minimal and explicit footprint on your machine:
In normal (non-Light) mode, OSSScan makes a small number of outbound HTTPS requests. The table below documents every category of outbound call. Light mode makes zero outbound calls. All analysis is performed offline using locally cached data.
| Purpose | Destination | Data sent |
|---|---|---|
| License metadata lookup | deps.dev (Google) | Package name, version, ecosystem (e.g., npm/lodash@4.17.21) |
| License metadata lookup | Package registries (npmjs.org, pypi.org, etc.) | Package name and version only |
| Pre-computed license harvest | api.clearlydefined.io | Package coordinates (type/provider/namespace/name/revision) |
| Tool update checks | ossscan.com (BigBrainCorp) | Current app version and OS platform |
No source code, file contents, directory listings, or personal information are included in any of these requests.
The OSSScan macOS application is code-signed with an Apple Developer ID and notarized by Apple. Gatekeeper verifies the app automatically on first launch. If macOS accepted it without a warning, the OS has already confirmed the binary came from BigBrainCorp LLC and has not been tampered with since it was signed. You can also verify manually in Terminal:
spctl --assess --type exec --verbose /Applications/OSSScan.app
A genuine build returns: accepted source=Notarized Developer ID. If you see a "developer cannot be verified" warning instead, do not open the app and contact jim@ossscan.com.
Windows Authenticode signing is in progress. Until it is available, unsigned installers will trigger a SmartScreen warning. This is expected, and is itself a signal that something may be wrong if the warning does not appear for a build that claims to be signed. A SHA-256 checksum for each release is published on the Downloads page. Verify using PowerShell before running the installer:
Get-FileHash OSSScan-Setup.exe -Algorithm SHA256
Compare the output against the published hash. As a secondary cross-check, the same hash is published on our GitHub Releases page, which is an independent channel an attacker would also need to compromise.
OSSScan integrates with Syft (SBOM generation), Grype (vulnerability scanning), and ScanCode (deep license detection), but does not bundle these tools. They are installed separately by the user, typically via their own official installers or package managers, and OSSScan invokes them as child processes when a scan requires their capabilities. This design means you retain full control over which versions are installed, can audit them independently, and are not exposed to supply-chain risks from bundled binaries you did not explicitly choose. OSSScan passes only the scan target path to each tool and reads their output from stdout or a temporary file; no other data is exchanged.
This was not the original plan. During development, OSSScan bundled Syft and Grype directly. Before shipping, we ran a Deep scan of OSSScan itself using its own tooling.
The results were instructive. While Syft and Grype are themselves permissively licensed, a Deep scan revealed that their transitive dependency trees pull in packages carrying copyleft licenses. These obligations would not be visible from a top-level review of Syft or Grype's own declared licenses. They only surfaced when OSSScan scanned the full dependency graph, including indirect dependencies, and cross-referenced the actual source files.
This is precisely the scenario OSSScan is built to catch. Bundling those packages would have created unintended IP obligations for OSSScan's own distribution. So we removed them.
The practical outcome is that users install Syft and Grype themselves, using the instructions OSSScan provides, and retain full control over which versions they run. But the more important point is this: a surface-level license check of your direct dependencies is not sufficient. Copyleft obligations can hide several layers deep in a transitive dependency tree, in packages that carry permissive top-level licenses. OSSScan's Deep scan exists precisely to find them.
OSSScan includes a proxy-based network monitor that intercepts all outbound HTTP/HTTPS calls made by the application and its child tool processes. In Strict mode, any call to a destination not on the pre-approved allowlist is blocked and logged, giving you a complete record of every network attempt. In Balanced mode, calls to known-safe endpoints are allowed automatically while unexpected destinations are flagged. In both modes, a blocked-call log is written to the application data folder so you can audit any deviations. This mechanism is designed to give security-conscious teams confidence that OSSScan is behaving as documented, and to surface unexpected behavior from third-party tools.
OSSScan collects no telemetry, analytics, or usage data of any kind. There are no analytics SDKs in the application and no data is ever sent to OSSScan or BigBrainCorp for the purpose of tracking usage.
When you purchase an OSSScan license, your machine fingerprint is collected as part of the checkout process. It is a one-way hash derived from stable hardware characteristics of your system (such as firmware UUIDs) and is used solely to bind the license file to your machine at the time it is generated.
There is no licensing server. Once the license file is delivered to you, all validation happens entirely on your device. On every launch, OSSScan verifies the cryptographic signature of the license file and confirms the fingerprint it contains matches the current machine. No network call is made. The license works fully offline.
The fingerprint is produced using SHA-256, a cryptographic hash function. SHA-256 is a one-way mathematical transformation: given only the hash output, it is computationally infeasible to reconstruct the original hardware identifiers that were used to produce it. This is a fundamental property of cryptographic hash functions and is why the fingerprint cannot be used to identify you personally, locate your machine on a network, or recover any hardware details. It is not shared with any third party.
We believe in transparency about what our security controls do not cover:
OSSScan is distributed exclusively from ossscan.com. There are no other spellings, hyphens, or look-alike domains. Any site that resembles OSSScan but is not at that exact address should be treated as a spoofed site.
To confirm you are on the genuine site, check all three of the following:
https://ossscan.com with a valid padlock.To report a suspected spoofed site or phishing campaign impersonating OSSScan, contact jim@ossscan.com.
The following table summarizes the current state of security features:
| Feature | Status |
|---|---|
| macOS code signing + notarization | Implemented |
| HTTPS-only outbound calls | Implemented |
| Proxy-based network monitor (Strict / Balanced modes) | Implemented |
| Blocked-call audit log | Implemented |
| Light mode (zero outbound calls) | Implemented |
| Machine fingerprint (license enforcement only) | Implemented |
| SHA-256 checksum for Windows installer | Implemented |
| Downloads page: official domain banner (osscan.com warning) | Implemented |
| Downloads page: download URL origin validation | Implemented |
| Downloads page: Content Security Policy | Implemented |
| Feature | Status |
|---|---|
| Windows code signing (Authenticode) | Planned |