CLI Scanner

ts-scan

The open-source scanner for Software Composition Analysis. Detects all direct and transitive dependencies from your build system and generates a precise SBOM — automated in your CI/CD pipeline.

Try for free → GitHub →

At a Glance

20+ Build Systems

Maven, Gradle, npm, PyPI, NuGet, Composer, Go Modules, Cargo, CocoaPods and many more.

GitHub Action

Seamless integration into GitHub workflows. A single line of YAML is all you need.

SPDX & CycloneDX

Standards-compliant export for sharing with customers, auditors and regulators.

Shift Left

Detect unsuitable or malicious components at build time — before they reach production.

Open Source

Fully open source on GitHub. Transparent code, no black box.

API-First

Results flow via a documented REST API into the TrustSource platform or your own tooling.

The Challenge

Modern software consists of 80–90% open-source components. Without an exact inventory, you don't know which licences apply, which vulnerabilities exist and whether your software meets regulatory requirements.

How ts-scan Works

ts-scan analyses the native lockfiles and build configurations of your project. It works with the package manager, not against it — delivering precise results without additional configuration.

Detected dependencies are submitted as a bill of materials (SBOM) to the TrustSource platform, where they are checked against vulnerability databases, licence policies and regulatory requirements.

Installation

pip install ts-scan

Docker images and from-source builds are documented in the repository.

trustsource / ts-scan

One scanner integrating several capabilities across different environments.

Python Apache-2.0

PyPIMavenNuGetnpmDockerSPDXCycloneDX

View on GitHub → Read the docs →