 [](https://scorecard.dev/viewer/?uri=github.com/TrustSource/ts-scan) 
# TrustSource Scanner
The **ts-scan** scanner is a powerful command-line tool designed for scanning package dependencies, generating Software Bill of Materials (SBOM) files, and analyzing existing SBOMs for security and compliance insights. It supports multiple SBOM formats, including SPDX and CycloneDX, allowing users to integrate it seamlessly into their software supply chain workflows.
## Description
The **ts-scan** scans a project for dependencies and stores the results using either its internal format or one of the supported SBOM formats: SPDX or CycloneDX. It currently supports **PyPI**, **Maven**, **NuGet**, and **NPM** but can also utilize [Syft](https://github.com/anchore/syft) as a backend allowing it to scan Docker containers.
Once dependencies are collected, the **ts-scan** can be used to either upload results to the [TrustSource](https://www.trustsource.io) application, perform security analysis of components by identifying known vulnerabilities, or conduct an in-depth analysis of each package. The goal of the in-depth analysis is to extract license and copyright information, detect cryptographic algorithms, identify code snippets, or detect malware by applying its own analyzers or integrating with external tools such as [scancode-toolkit](https://github.com/aboutcode-org/scancode-toolkit), [SCANOSS](https://www.scanoss.com), and [YARA](https://virustotal.github.io/yara/).
The **ts-scan** can be seamlessly integrated into CI/CD pipelines, enabling automated security and compliance checks continuously. It can be configured to break a build if vulnerabilities or legal issues are detected, ensuring compliance early in the development process. Additionally, it can be used alongside SCM hooks on developers' machines for pre-commit checks or execute long-running in-depth analyses remotely during release builds.
## Installation
**ts-scan** is available as a *PyPI* package. To install, you will require a recent *Python (>= 3.10)* version installed and *pip (>=22.0)*. Generally *pip* is already contained in your *Python* distribution but if not, follow pip's [installation instruction](https://pip.pypa.io/en/stable/installing/).
### Installation from the PyPI repository
```shell
pip install ts-scan
```
### Installation from a local folder
```shell
git clone https://github.com/trustsource/ts-scan.git
cd <path to the ts-scan repo, typically ts-scan>
pip install ./ --process-dependency-links
```
### Installation as a Docker image
For some scenarios you may want to provide **ts-scan** inside a Docker container, e.g. to prevent issues from version conflicts.
> [!CAUTION]
>
> PLEASE NOTE: Scanning of Docker images using Syft from within the *ts-scan* Docker image is **not** supported for security reasons.
#### Build a Docker image containing ts-scan (x86-64)
```shell
cd <path to the ts-scan>
docker build -t ts-scan .
```
#### Build a Docker image containing ts-scan (ARM)
```shell
cd <path to the ts-scan>
docker buildx build --platform linux/amd64 -t ts-scan .
```
Reason for this is, that pyminr - the encryption scanner - might fail to install on ARM chips.
#### Use ts-scan from the Docker image
```shell
docker run ts-scan <COMMAND>
```
## Usage
The **ts-scan** functionality is divided into a set of commands based on the intended goal. The following commands are available:
| Command | Description |
|-----------------------|---------------------------------------------------------------------------|
| [init](#init) | Initialize a TrustSource project |
| [scan](#scan) | Scan for package dependencies |
| [analyse](#analyse) | Perform an in-depth analysis of a scan or an SBOM file |
| [check](#check) | Check packages for legal issues and vulnerabilities |
| [upload](#upload) | Upload scan and analysis results to the TrustSource application |
| [import](#import) | Import SPDX and CycloneDX files directly into the TrustSource application |
| [convert](#convert) | Convert SBOM between supported formats (TS, SPDX, CycloneDX)
To display a list of all available commands, use:
```shell
ts-scan --help
```
To get details about a specific command, use:
```shell
ts-scan <COMMAND> --help
```
## User Settings
By first time **ts-scan** is executed, a user settings file is created in the home directory at **$HOME/.ts-scan/config**. It contains an empty ```[default]``` profile.
The user settings file can be used to store any option passed to the **ts-scan**. The groups of options can be grouped into profiles.
An example of a user settings file is:
```toml
[default]
api_key="<TrustSource API key>"
[dev]
api_key="<TrustSource API key from the Dev account>"
project_name="TrustSource default Project in the Dev account"
```
The format is a dictionary with the option name in snake-case format as a key and a value. For example, if the **ts-scan** option for the project name is ```--project-name```, the corresponding key in the user settings file is ```project_name```.
When **ts-scan** is executed all options from the ```default``` profile are loaded as default values for the command line options. If an option is explicitly passed on the command line, it will override the default value.
To select a profile, use the ```-p\--profile``` option. For example, to use the ```dev``` profile, use:
```shell
ts-scan -p dev upload MyScan.json
```
In this case the **ts-scan** will use the ```api_key``` and ```project_name``` from the ```dev``` profile for the upload.
## Init
The **init** command initializes a TrustSource project. It creates a configuration file in the provided directory, which can be used to store the project name and API key for future use. This is particularly useful for developers, where you may want to avoid passing the API key and project name as a command-line argument every time a new scan is going to be uploaded.
To initialize a project, use:
```shell
ts-scan init --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the project directory>
```
Both parameters are optional, for example only a project name can be stored inside the project while the API key is stored in the [user settings file](#user-settings).
**Note**: the project settings override the user settings file and the explicitly passed command line options override the project settings. For example if the API key is passed on the command line, it will override the API key stored in the project settings file.
## Scan
The **scan** command searches for package dependencies in your project. By providing a path, ts-scan automatically detects supported package management systems and extracts a full dependency tree. The scan results can be stored in a file using either the internal TS format or one of the supported SBOM formats: SPDX or CycloneDX.
To execute a scan and store results into a file, use:
```shell
ts-scan scan -o <path to the output file> [-f <output format>] <path to the project directory>
```
The ```-f <output format>``` option controls the output format and can be:
* ```ts``` - the TrustSource internal format (default)
* ```spdx-[tag|json|yaml|xml]``` - One of the SPDX formtas, e.g. ```spdx-json```
* ```cyclonedx-[json|xml]``` - One of the CycloneDX formats, e.g. ```cyclonedx-json```
### Options
**ts-scan** contains some general options as well as options that only apply while scanning specific package types. The package specific options are prefixed by the type of the package management system. We use the [Package URL Type](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst) as a prefix. The following options are valid for most supported package management system:
* ```--[maven|gradle|npm|nuget|pypi]:ignore``` - Disable scanning dependencies of the type
* ```--[maven|gradle|npm|nuget]:executable``` - Specify a path to the PM executable
* ```--[maven|gradle|npm|nuget]:forward``` - Forward arguments to the PM's executable
The full list of options including PM specific options can be printed using:
```shell
ts-scan scan --help
```
#### Scanner executable path
While scanning for Maven, Node and NuGet dependencies, ***ts-scan*** calls corresponding package manager executables. For example, in order to specify a path to the Maven excutable use the following option
```shell
ts-scan scan --maven:executable /opt/local/bin/mvn <PATH>
```
#### Forward custom parameters to a scanner executable
There are also options to forward parameters to a package manager executable. For example, in order to pass a settings file to Maven, one can use the following combination:
```shell
ts-scan scan --maven:foward --settings,customSettings.xml <PATH>
```
### Other options
* ```--verbose``` - Enables verbose mode (including output from PM executables, useful for debugging)
* ```--tag <TAG>``` - Stores the SCM tag ```<TAG>``` in the scan
* ```--branch <BRANCH>``` - Stores the SCM branch ```<BRANCH>``` in the scan
### Scan with Syft as a backend
**ts-scan** can use [Syft](https://github.com/anchore/syft) scanner as a backend for dependencies scanning. To enable the Syft scanner, use the following option:
```shell
ts-scan scan --use-syft <SOURCE>
```
As a source you can specify any type of sources accepted by Syft, for example a local filesystem path. For more details on supported formats please refer to [Syft Supported Sources](https://github.com/anchore/syft/wiki/supported-sources).
Before calling Syft, **ts-scan** tries to find the Syft executable in default locations, in order to specify a custom location use the following option:
```shell
ts-scan scan --use-syft --syft-path <syft executable> <SOURCE>
```
To pass custom parameters directly to Syft:
```shell
ts-scan scan --use-syft --Xsyft <option>,<value> <SOURCE>
```
#### Scan Docker images with Syft
Syft supports many different input types, and one of them is Docker images. To scan a local docker image, use the following command:
```shell
ts-scan scan --use-syft -o <OUTPUT> docker:<DOCKER IMAGE>
```
## Analyse
The in-depth dependency analysis is performed using the **analyse** command, which takes a scan file as input in one of the supported formats: the internal TS format, SPDX, or CycloneDX. Depending on the dependency package, the tool locates its files and scans each one using [ts-deepscan](https://github.com/TrustSource/ts-deepscan). Additionally, it uses [SCANOSS](https://www.scanoss.com) to improve and enrich the collected in-depth scanning results. The **analyse** command can also take a directory as input to directly scan files inside it.
To analyse a scan or a directory and store results into a file, use:
```shell
ts-scan analyse [-f <input format>] [-o <output>] <path to the scan file or directory>
```
The ```-f <input format>``` option specifies the input format of the scan to be checked (if a scan file is provided as input) and accepts the same values as the ```<output format>``` of the [scan](#scan) command.
By default, the **analyse**, command applies [ts-deepscan](https://github.com/TrustSource/ts-deepscan) using its default configuration and extends the analysis results with data from SCANOSS API.
To disable or fine-tune specific analysis steps, you can use additional options.
### Options
* ```--disable-deepscan``` - Disables analysis using DeepScan.
* ```--disable-scanoss``` - Disables extending DeepScan results with SCANOSS data.
* ```--scanoss-api-key <SCANOSS API key>``` - A SCANOSS API key, required for accessing data provided by SCANOSS over non-public API. For more details, please refer to [SCANOSS](https://www.scanoss.com)
* ```--Xdeepscan <OPTION>,<VALUE>``` - Forwards <OPTION> <VALUE> to the DeepScan **scan** command.
The ```--Xdeepscan```can be used to configure the DeepScan analysers. For example, to analyse a scan while setting a timeout (in seconds) per file, use:
```shell
ts-scan analyse --Xdeepscan timeout,30 <path to the scan file or directory>
```
For more details on available options for DeepScan, please refer to [ts-deepscan documentation](https://github.com/TrustSource/ts-deepscan).
## Check
The **ts-scan check** command verifies project dependencies for legal issues and known vulnerabilities. It performs these checks using the TrustSource API and supports two modes:
1. A full check based on the corresponding TrustSource project settings (a TrustSource project is required; refer to [TrustSource](https://www.trustsource.io) for more details).
2. A single component check against the TrustSource vulnerability database.
By default, the **check** command performs a full check. To check only for vulnerabilities, use the ```--vulns-only``` option.
In addition to vulnerability checks, the full mode also detects potential legal issues, such as license incompatibilities between dependencies or conflicts with the planned distribution model.
Both modes support exiting with a non-zero error code (1) if vulnerabilities or legal issues are found, making it highly useful for integration into CI/CD workflows.
### Full scan check
To execute a full check, use the following command:
```shell
ts-scan check --project-name <TrustSource project name> --api-key <TrustSource API key> [-f <input format>] [-o <output>] <path to the scan file>
```
The options ```--project-name <TrustSource project name>```and ```--api-key <TrustSource API key>```are required for the full scan.
> [!NOTE]
>
> PLEASE NOTE: Before executing a full check, you need to create a project in the TrustSource application and [upload](#upload) the scan into the application. For more details, please refer to [TrustSource User Guide](https://www.trustsource.io)
The ```-f <input format>``` option specifies the input format of the scan to be checked and accepts the same values as the ```<output format>``` of the [scan](#scan) command.
Optionally, using the ```-o <output>``` option, you can store the check results into a JSON file.
### Vulnerabilities-Only check
A vulnerabilities check can be performed by adding a ```--vulns-only``` option to the **check** command:
```shell
ts-scan check --vulns-only --api-key <TrustSource API key> [-f <input format>] [-o <output>] [--vulns-confidence low|medium|high] <path to the scan file>
```
A vulnerabilities-only check does not require creation of the project and uploading the scan before running the check.
The ```--vulns-confidence <level>``` option allows you to control the confidence level for matching components with affected products listed in security bulletins, such as product/vendor tuples in CVEs. The default value is ```high```, minimizing false positives as much as possible.
### Options
There are several useful options available for both modes, making it easier to integrate the **check** command into CI/CD pipelines:
* ```--exit-on-legal``` - Exit with a non-zero (1) exit code if legal violations are found (default: ```on```)
* ```--exit-on-vulns``` - Exit with a non-zero (1) exit code if vulnerabilities are found (default: ```on```)
* ```--Werror``` - Treat vulnerability/legal warnings as errors
## Upload
The **upload** command is used to upload scans to the [TrustSource App](https://www.trustsource.io) for the .... TBD:
```shell
ts-scan upload --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the scan JSON file>
```
#### More info
```shell
ts-scan upload --help
```
## Import SBOMs
The **import** command is used to import SBOMs to the [TrustSource App](https://www.trustsource.io) for the .... TBD:
Supported import formats:
- SPDX RDF (spdx-rdf)
- SPDX JSON (spdx-json)
- CycloneDX (cyclonedx)
```shell
ts-scan import -f <SBOM format> -v <SBOM format version> --module <SBOM module name> --module-id <SBOM module id> --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the SBOM file>
```
#### More info
```shell
ts-scan import --help
```
## Convert
To convert a SBOM between supported formats, use:
```shell
ts-scan convert [-f <input format>] [-of <output format>] [-o <output>] <path to the SBOM file>
```
The ```-f <input format>``` and the ```-of <output format>``` options specify the input format and the output format respectively and accept the same values as the <output format> of the scan command.
## License
[Apache-2.0](https://github.com/trustsource/ts-pip-plugin/blob/master/LICENSE)
Raw data
{
"_id": null,
"home_page": null,
"name": "ts-scan",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "dependencies, modules, compliance, TrustSource",
"author": "EACG GmbH",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/d5/a5/2a2bbc9b122f12225d71a40a87d45bd88b572ac8f52ee9064437e914cba8/ts_scan-1.3.0.tar.gz",
"platform": null,
"description": " [](https://scorecard.dev/viewer/?uri=github.com/TrustSource/ts-scan) \n\n# TrustSource Scanner\n\nThe **ts-scan** scanner is a powerful command-line tool designed for scanning package dependencies, generating Software Bill of Materials (SBOM) files, and analyzing existing SBOMs for security and compliance insights. It supports multiple SBOM formats, including SPDX and CycloneDX, allowing users to integrate it seamlessly into their software supply chain workflows.\n\n\n## Description\n\nThe **ts-scan** scans a project for dependencies and stores the results using either its internal format or one of the supported SBOM formats: SPDX or CycloneDX. It currently supports **PyPI**, **Maven**, **NuGet**, and **NPM** but can also utilize [Syft](https://github.com/anchore/syft) as a backend allowing it to scan Docker containers.\n\nOnce dependencies are collected, the **ts-scan** can be used to either upload results to the [TrustSource](https://www.trustsource.io) application, perform security analysis of components by identifying known vulnerabilities, or conduct an in-depth analysis of each package. The goal of the in-depth analysis is to extract license and copyright information, detect cryptographic algorithms, identify code snippets, or detect malware by applying its own analyzers or integrating with external tools such as [scancode-toolkit](https://github.com/aboutcode-org/scancode-toolkit), [SCANOSS](https://www.scanoss.com), and [YARA](https://virustotal.github.io/yara/).\n\nThe **ts-scan** can be seamlessly integrated into CI/CD pipelines, enabling automated security and compliance checks continuously. It can be configured to break a build if vulnerabilities or legal issues are detected, ensuring compliance early in the development process. Additionally, it can be used alongside SCM hooks on developers' machines for pre-commit checks or execute long-running in-depth analyses remotely during release builds.\n\n## Installation\n\n**ts-scan** is available as a *PyPI* package. To install, you will require a recent *Python (>= 3.10)* version installed and *pip (>=22.0)*. Generally *pip* is already contained in your *Python* distribution but if not, follow pip's [installation instruction](https://pip.pypa.io/en/stable/installing/).\n\n### Installation from the PyPI repository\n\n```shell\npip install ts-scan\n```\n\n### Installation from a local folder\n\n```shell\ngit clone https://github.com/trustsource/ts-scan.git\ncd <path to the ts-scan repo, typically ts-scan>\npip install ./ --process-dependency-links\n```\n\n### Installation as a Docker image\n\nFor some scenarios you may want to provide **ts-scan** inside a Docker container, e.g. to prevent issues from version conflicts. \n\n> [!CAUTION]\n>\n> PLEASE NOTE: Scanning of Docker images using Syft from within the *ts-scan* Docker image is **not** supported for security reasons. \n\n\n\n#### Build a Docker image containing ts-scan (x86-64)\n\n```shell\ncd <path to the ts-scan>\ndocker build -t ts-scan .\n```\n\n#### Build a Docker image containing ts-scan (ARM)\n\n```shell\ncd <path to the ts-scan>\ndocker buildx build --platform linux/amd64 -t ts-scan .\n```\n\nReason for this is, that pyminr - the encryption scanner - might fail to install on ARM chips.\n\n#### Use ts-scan from the Docker image\n\n```shell\ndocker run ts-scan <COMMAND>\n```\n\n\n## Usage\n\nThe **ts-scan** functionality is divided into a set of commands based on the intended goal. The following commands are available:\n\n| Command\t | Description \t |\n|-----------------------|---------------------------------------------------------------------------|\n| [init](#init) \t\t | Initialize a TrustSource project |\n| [scan](#scan) \t\t | Scan for package dependencies |\n| [analyse](#analyse) \t | Perform an in-depth analysis of a scan or an SBOM file |\n| [check](#check)\t\t | Check packages for legal issues and vulnerabilities |\n| [upload](#upload)\t\t | Upload scan and analysis results to the TrustSource application |\n| [import](#import)\t\t | Import SPDX and CycloneDX files directly into the TrustSource application |\n| [convert](#convert) | Convert SBOM between supported formats (TS, SPDX, CycloneDX) \n\nTo display a list of all available commands, use:\n\n```shell\nts-scan --help\n```\n\nTo get details about a specific command, use:\n\n```shell\nts-scan <COMMAND> --help\n```\n\n## User Settings\n\nBy first time **ts-scan** is executed, a user settings file is created in the home directory at **$HOME/.ts-scan/config**. It contains an empty ```[default]``` profile. \nThe user settings file can be used to store any option passed to the **ts-scan**. The groups of options can be grouped into profiles. \n\nAn example of a user settings file is:\n\n```toml\n[default]\napi_key=\"<TrustSource API key>\"\n\n[dev]\napi_key=\"<TrustSource API key from the Dev account>\"\nproject_name=\"TrustSource default Project in the Dev account\"\n```\nThe format is a dictionary with the option name in snake-case format as a key and a value. For example, if the **ts-scan** option for the project name is ```--project-name```, the corresponding key in the user settings file is ```project_name```.\n\nWhen **ts-scan** is executed all options from the ```default``` profile are loaded as default values for the command line options. If an option is explicitly passed on the command line, it will override the default value. \n\nTo select a profile, use the ```-p\\--profile``` option. For example, to use the ```dev``` profile, use:\n\n```shell\nts-scan -p dev upload MyScan.json\n```\n\nIn this case the **ts-scan** will use the ```api_key``` and ```project_name``` from the ```dev``` profile for the upload.\n\n## Init\n\nThe **init** command initializes a TrustSource project. It creates a configuration file in the provided directory, which can be used to store the project name and API key for future use. This is particularly useful for developers, where you may want to avoid passing the API key and project name as a command-line argument every time a new scan is going to be uploaded.\n\nTo initialize a project, use:\n\n```shell\nts-scan init --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the project directory>\n```\n\nBoth parameters are optional, for example only a project name can be stored inside the project while the API key is stored in the [user settings file](#user-settings).\n\n**Note**: the project settings override the user settings file and the explicitly passed command line options override the project settings. For example if the API key is passed on the command line, it will override the API key stored in the project settings file.\n\n## Scan\n\nThe **scan** command searches for package dependencies in your project. By providing a path, ts-scan automatically detects supported package management systems and extracts a full dependency tree. The scan results can be stored in a file using either the internal TS format or one of the supported SBOM formats: SPDX or CycloneDX.\n\nTo execute a scan and store results into a file, use:\n\n```shell\nts-scan scan -o <path to the output file> [-f <output format>] <path to the project directory>\n```\n\nThe ```-f <output format>``` option controls the output format and can be:\n\n* ```ts``` - the TrustSource internal format (default)\n* ```spdx-[tag|json|yaml|xml]``` - One of the SPDX formtas, e.g. ```spdx-json```\n* ```cyclonedx-[json|xml]``` - One of the CycloneDX formats, e.g. ```cyclonedx-json```\n\n### Options\n\n**ts-scan** contains some general options as well as options that only apply while scanning specific package types. The package specific options are prefixed by the type of the package management system. We use the [Package URL Type](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst) as a prefix. The following options are valid for most supported package management system:\n\n* ```--[maven|gradle|npm|nuget|pypi]:ignore``` - Disable scanning dependencies of the type \n* ```--[maven|gradle|npm|nuget]:executable``` - Specify a path to the PM executable\n* ```--[maven|gradle|npm|nuget]:forward``` - Forward arguments to the PM's executable\n\nThe full list of options including PM specific options can be printed using:\n\n```shell\nts-scan scan --help\n```\n\n#### Scanner executable path\n\nWhile scanning for Maven, Node and NuGet dependencies, ***ts-scan*** calls corresponding package manager executables. For example, in order to specify a path to the Maven excutable use the following option\n\n```shell\nts-scan scan --maven:executable /opt/local/bin/mvn <PATH>\n```\n\n#### Forward custom parameters to a scanner executable\n\nThere are also options to forward parameters to a package manager executable. For example, in order to pass a settings file to Maven, one can use the following combination:\n\n```shell\nts-scan scan --maven:foward --settings,customSettings.xml <PATH>\n```\n\n### Other options\n\n* ```--verbose``` - Enables verbose mode (including output from PM executables, useful for debugging)\n* ```--tag <TAG>``` - Stores the SCM tag ```<TAG>``` in the scan \n* ```--branch <BRANCH>``` - Stores the SCM branch ```<BRANCH>``` in the scan \n\n\n### Scan with Syft as a backend\n\n**ts-scan** can use [Syft](https://github.com/anchore/syft) scanner as a backend for dependencies scanning. To enable the Syft scanner, use the following option:\n\n```shell\nts-scan scan --use-syft <SOURCE>\n```\n\nAs a source you can specify any type of sources accepted by Syft, for example a local filesystem path. For more details on supported formats please refer to [Syft Supported Sources](https://github.com/anchore/syft/wiki/supported-sources).\n\nBefore calling Syft, **ts-scan** tries to find the Syft executable in default locations, in order to specify a custom location use the following option:\n\n```shell\nts-scan scan --use-syft --syft-path <syft executable> <SOURCE>\n```\n\nTo pass custom parameters directly to Syft:\n\n```shell\nts-scan scan --use-syft --Xsyft <option>,<value> <SOURCE>\n```\n\n#### Scan Docker images with Syft\n\nSyft supports many different input types, and one of them is Docker images. To scan a local docker image, use the following command:\n\n```shell\nts-scan scan --use-syft -o <OUTPUT> docker:<DOCKER IMAGE>\n```\n\n## Analyse\n\nThe in-depth dependency analysis is performed using the **analyse** command, which takes a scan file as input in one of the supported formats: the internal TS format, SPDX, or CycloneDX. Depending on the dependency package, the tool locates its files and scans each one using [ts-deepscan](https://github.com/TrustSource/ts-deepscan). Additionally, it uses [SCANOSS](https://www.scanoss.com) to improve and enrich the collected in-depth scanning results. The **analyse** command can also take a directory as input to directly scan files inside it. \n\nTo analyse a scan or a directory and store results into a file, use:\n\n```shell\nts-scan analyse [-f <input format>] [-o <output>] <path to the scan file or directory>\n```\n\nThe ```-f <input format>``` option specifies the input format of the scan to be checked (if a scan file is provided as input) and accepts the same values as the ```<output format>``` of the [scan](#scan) command.\n\nBy default, the **analyse**, command applies [ts-deepscan](https://github.com/TrustSource/ts-deepscan) using its default configuration and extends the analysis results with data from SCANOSS API.\n\nTo disable or fine-tune specific analysis steps, you can use additional options.\n\n### Options\n\n* ```--disable-deepscan``` - Disables analysis using DeepScan.\n* ```--disable-scanoss``` - Disables extending DeepScan results with SCANOSS data.\n* ```--scanoss-api-key <SCANOSS API key>``` - A SCANOSS API key, required for accessing data provided by SCANOSS over non-public API. For more details, please refer to [SCANOSS](https://www.scanoss.com) \n* ```--Xdeepscan <OPTION>,<VALUE>``` - Forwards <OPTION> <VALUE> to the DeepScan **scan** command.\n\nThe ```--Xdeepscan```can be used to configure the DeepScan analysers. For example, to analyse a scan while setting a timeout (in seconds) per file, use: \n\n```shell\nts-scan analyse --Xdeepscan timeout,30 <path to the scan file or directory>\n```\n\nFor more details on available options for DeepScan, please refer to [ts-deepscan documentation](https://github.com/TrustSource/ts-deepscan).\n\n## Check\n\nThe **ts-scan check** command verifies project dependencies for legal issues and known vulnerabilities. It performs these checks using the TrustSource API and supports two modes:\n\n1. A full check based on the corresponding TrustSource project settings (a TrustSource project is required; refer to [TrustSource](https://www.trustsource.io) for more details).\n\n2. A single component check against the TrustSource vulnerability database.\n\nBy default, the **check** command performs a full check. To check only for vulnerabilities, use the ```--vulns-only``` option.\n\nIn addition to vulnerability checks, the full mode also detects potential legal issues, such as license incompatibilities between dependencies or conflicts with the planned distribution model.\n\nBoth modes support exiting with a non-zero error code (1) if vulnerabilities or legal issues are found, making it highly useful for integration into CI/CD workflows.\n\n\n### Full scan check\n\nTo execute a full check, use the following command:\n\n```shell\nts-scan check --project-name <TrustSource project name> --api-key <TrustSource API key> [-f <input format>] [-o <output>] <path to the scan file>\n```\n\nThe options ```--project-name <TrustSource project name>```and ```--api-key <TrustSource API key>```are required for the full scan.\n\n> [!NOTE]\n>\n> PLEASE NOTE: Before executing a full check, you need to create a project in the TrustSource application and [upload](#upload) the scan into the application. For more details, please refer to [TrustSource User Guide](https://www.trustsource.io) \n\nThe ```-f <input format>``` option specifies the input format of the scan to be checked and accepts the same values as the ```<output format>``` of the [scan](#scan) command.\n\nOptionally, using the ```-o <output>``` option, you can store the check results into a JSON file.\n\n### Vulnerabilities-Only check\n\nA vulnerabilities check can be performed by adding a ```--vulns-only``` option to the **check** command:\n\n```shell\nts-scan check --vulns-only --api-key <TrustSource API key> [-f <input format>] [-o <output>] [--vulns-confidence low|medium|high] <path to the scan file>\n```\n\nA vulnerabilities-only check does not require creation of the project and uploading the scan before running the check.\n\nThe ```--vulns-confidence <level>``` option allows you to control the confidence level for matching components with affected products listed in security bulletins, such as product/vendor tuples in CVEs. The default value is ```high```, minimizing false positives as much as possible.\n\n\n### Options\n\nThere are several useful options available for both modes, making it easier to integrate the **check** command into CI/CD pipelines:\n\n* ```--exit-on-legal``` - Exit with a non-zero (1) exit code if legal violations are found (default: ```on```)\n* ```--exit-on-vulns``` - Exit with a non-zero (1) exit code if vulnerabilities are found (default: ```on```)\n* ```--Werror``` - Treat vulnerability/legal warnings as errors\n\n\n## Upload\n\nThe **upload** command is used to upload scans to the [TrustSource App](https://www.trustsource.io) for the .... TBD:\n\n\n```shell\nts-scan upload --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the scan JSON file>\n```\n\n#### More info\n\n```shell\nts-scan upload --help\n```\n\n## Import SBOMs\n\nThe **import** command is used to import SBOMs to the [TrustSource App](https://www.trustsource.io) for the .... TBD:\n\nSupported import formats:\n\n- SPDX RDF (spdx-rdf)\n- SPDX JSON (spdx-json)\n- CycloneDX (cyclonedx)\n\n```shell\nts-scan import -f <SBOM format> -v <SBOM format version> --module <SBOM module name> --module-id <SBOM module id> --project-name <TrustSource project name> --api-key <TrustSource API key> <path to the SBOM file>\n```\n\n#### More info\n\n```shell\nts-scan import --help\n```\n\n## Convert\n\nTo convert a SBOM between supported formats, use:\n\n```shell\nts-scan convert [-f <input format>] [-of <output format>] [-o <output>] <path to the SBOM file>\n```\n\nThe ```-f <input format>``` and the ```-of <output format>``` options specify the input format and the output format respectively and accept the same values as the <output format> of the scan command.\n\n## License\n\n[Apache-2.0](https://github.com/trustsource/ts-pip-plugin/blob/master/LICENSE)\n",
"bugtrack_url": null,
"license": null,
"summary": "TrustSource Packages Scanner",
"version": "1.3.0",
"project_urls": {
"Homepage": "https://github.com/trustsource/ts-scan.git"
},
"split_keywords": [
"dependencies",
" modules",
" compliance",
" trustsource"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "dfddd9569c3fc04d3a8b44ff750ed33d300f11935336bf691aecd9cb8ea0aa64",
"md5": "7b995625bd857166aec9391ce7494580",
"sha256": "76dbc788bde60c3006c7d4db7cbba6e00c67d062857279064efc8f497bfcdb32"
},
"downloads": -1,
"filename": "ts_scan-1.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "7b995625bd857166aec9391ce7494580",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 57912,
"upload_time": "2025-07-14T12:04:16",
"upload_time_iso_8601": "2025-07-14T12:04:16.066102Z",
"url": "https://files.pythonhosted.org/packages/df/dd/d9569c3fc04d3a8b44ff750ed33d300f11935336bf691aecd9cb8ea0aa64/ts_scan-1.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "d5a52a2bbc9b122f12225d71a40a87d45bd88b572ac8f52ee9064437e914cba8",
"md5": "ec10b7134a253e38b990363229215ee8",
"sha256": "4a44c713a9fca17e40a902225924854b5fdc24b6138808325f3795e49fef81ac"
},
"downloads": -1,
"filename": "ts_scan-1.3.0.tar.gz",
"has_sig": false,
"md5_digest": "ec10b7134a253e38b990363229215ee8",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 555299,
"upload_time": "2025-07-14T12:04:18",
"upload_time_iso_8601": "2025-07-14T12:04:18.831743Z",
"url": "https://files.pythonhosted.org/packages/d5/a5/2a2bbc9b122f12225d71a40a87d45bd88b572ac8f52ee9064437e914cba8/ts_scan-1.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-14 12:04:18",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "trustsource",
"github_project": "ts-scan",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "defusedxml",
"specs": [
[
"~=",
"0.7.1"
]
]
},
{
"name": "semantic_version",
"specs": [
[
"~=",
"2.10.0"
]
]
},
{
"name": "build",
"specs": [
[
"~=",
"1.2.2"
]
]
},
{
"name": "importlib-metadata",
"specs": [
[
"~=",
"8.6.0"
]
]
},
{
"name": "requests",
"specs": [
[
"~=",
"2.32.3"
]
]
},
{
"name": "ts-deepscan",
"specs": [
[
"~=",
"2.3.0"
]
]
},
{
"name": "spdx-tools",
"specs": [
[
">=",
"0.8.2"
]
]
},
{
"name": "click",
"specs": [
[
"==",
"8.1.7"
]
]
},
{
"name": "click-params",
"specs": [
[
"~=",
"0.5.0"
]
]
},
{
"name": "license-expression",
"specs": [
[
"~=",
"30.4.0"
]
]
},
{
"name": "packageurl-python",
"specs": [
[
"~=",
"0.16.0"
]
]
},
{
"name": "wasabi",
"specs": [
[
"~=",
"1.1.3"
]
]
},
{
"name": "dataclasses-json",
"specs": [
[
"~=",
"0.6.7"
]
]
},
{
"name": "cyclonedx-python-lib",
"specs": [
[
"~=",
"8.5.0"
]
]
},
{
"name": "shippinglabel",
"specs": [
[
"~=",
"2.1.0"
]
]
},
{
"name": "tqdm",
"specs": [
[
"~=",
"4.67.0"
]
]
},
{
"name": "scanoss",
"specs": [
[
"~=",
"1.20.4"
]
]
},
{
"name": "toml",
"specs": [
[
"~=",
"0.10.2"
]
]
}
],
"lcname": "ts-scan"
}
JSON
