Source Code Analysis

DeepScan

Whether malware, crypto algorithms, copyrights or licences — the truth is in the code. And that's exactly what DeepScan examines. At every level: as a lean CLI, a convenient Docker image, a managed service or an auto-scaling mass repo scanner.

Read whitepaper → GitHub → Docker Hub →

At a Glance

Post Quantum Security

Identifies cryptographic algorithms in source code. Discover early which components are relevant for migration to quantum-safe methods.

Malware Detection

Scans for known malicious code patterns, backdoors and suspicious constructs in dependencies and your own code.

Effective Licences

Determines the actually applicable licences from the source code — not from often incomplete or incorrect package metadata.

Copyright Analysis

Extracts copyright notices and author information from source files — the basis for correct attribution and compliance evidence.

Export Control

Generates a Cryptography Bill of Materials (CBOM) in CycloneDX format — the foundation for EAR/ECCN classification and export control compliance.

Snippet Detection

Detects copy-paste fragments and embedded third-party code — powered by SCANOSS. Even when only a few lines were taken from another project.

Python CLI & Docker

Lean Python CLI for command-line analysis. Docker image for seamless integration into your CI/CD pipeline.

SBOM Mass-Scanning

Automatically scans all transitive repositories of an SBOM. Scalable in your private cloud — for portfolios with thousands of components.

The Challenge

Package metadata lies. A component declares MIT but contains GPL code as a copy-paste fragment. A dependency tree shows Apache-2.0, yet the source code contains a cryptographic algorithm subject to export control. If you only check metadata, you only see half the truth.

How DeepScan Works

DeepScan downloads the source code and compares it line by line against an extensive reference database. The scanner identifies licence markers, copyright notices, code fragments from known open-source projects, cryptographic algorithms and malicious code patterns.

The results are submitted as structured findings to the TrustSource platform, where they are evaluated in the context of the project: Does the effective licence contradict the declared one? Are there export-controlled algorithms? Were code fragments adopted without proper attribution?

Deployment Options

CLI: Quick ad-hoc analysis of individual projects or directories. Ideal for developers who want to check before committing.
Docker: Containerised scan as a step in your CI/CD pipeline. No local installation, reproducible results.
Managed Service: DeepScan as a hosted instance on the TrustSource platform. Enter a repository URL, start the scan — done.
Mass Scanner: Auto-scaling operation for portfolios with hundreds or thousands of repositories. Parallelised analysis with centralised reporting.

Open source

DeepScan's scanner is open source — explore the code and documentation:

trustsource / ts-deepscan

Repository scanner for identification of licenses, copyrights and encryption.

Python Apache-2.0

LicensesCopyrightsCrypto / CBOMMalwareSPDXCycloneDX

View on GitHub → Read the docs →

Try it for free

Test DeepScan directly in your browser — no installation, no account required. Enter a public repository URL and choose what to scan for: licences, copyrights, crypto algorithms or snippets.

Launch DeepScan Free Scanner →

Whitepaper: Securing the Foundation

SCA in the C/C++ world remains a challenge. Learn how bimodal scanning with DeepScan reduces analysis effort and creates real transparency in the embedded world.

Read whitepaper →