ScanCode.io is configured with environment variables stored in a
.env file is created at the root of the ScanCode.io codebase during its
You can configure your preferences using the following settings in the
ScanCode.io is based on the Django web framework and its settings system. The list of settings available in Django is documented at Django Settings.
Settings specific to ScanCode.io are all prefixed with
Restarting the services is required following any changes to .env:
docker compose restart web worker
The database can be configured using the following settings:
By default, the ScanCode.io Web UI and REST API are available without any authentication.
The authentication system can be enable with this settings:
Once enabled, all the Web UI views and REST API endpoints will force the user to login to gain access.
A management command $ scanpipe create-user <username> is available to create users and generate their API key for authentication.
See Authentication for details on using the
authentication system in the REST API.
This setting defines the workspace location of a given project. The workspace is the directory where all of the project’s files are stored , such as input, codebase, and output files:
It defaults to a var/ directory in the local ScanCode.io codebase.
See Project workspace for more details.
The location of the .scancode/ configuration directory within the project codebase.
This directory allows to provide configuration files and customization for a ScanCode.io project directly through the codebase files.
For example, to provide a custom attribution template to your project, add it in a .scancode/ directory located at the root of your codebase before uploading it to ScanCode.io. The expected location of the attribution template is:
By default, multiprocessing is enabled and configured to use an optimal number of CPUs available on the machine. You can control the number of parallel processes available to ScanCode.io using the SCANCODEIO_PROCESSES setting:
Multiprocessing can be disabled entirely using “0”:
To disable both multiprocessing and threading, use “-1”:
Multiprocessing and threading are disabled by default on operating system where the multiprocessing start method is not “fork”, such as on macOS.
When enabled, pipeline runs are executed asynchronously, meaning that users can continue using the app while the pipeline are run in the background.
The ASYNC mode is enabled by default in a “Run with Docker” configuration but disabled in a “Local development” setup.
It is possible to enable ASYNC mode in a “local development” setup with the following setting:
Once enabled, pipeline runs will be sent to a task queue instead of being executed synchronously in the web server process.
The ASYNC mode required a Redis server and running a tasks worker using
$ make worker.
On macOS, the ASYNC mode requires the following line in your environment:
Maximum time allowed for a pipeline to complete. The pipeline run will be stopped and marked as failed if that limit is reached.
The value is a string with specify unit including hour, minute, second (e.g. “1h”, “3m”, “5s”):
Maximum time allowed for a file to be analyzed when scanning a codebase.
The value unit is second and is defined as an integer:
120 (2 minutes)
This setting defines any additional locations that ScanCode.io will search in for pipelines. It usually includes a list of comma-separated strings containing full paths of additional pipelines directories:
This setting defines the location of the policies file, or
A valid policies file is required to enable compliance-related features.
- license_key: mit
label: Approved License
- license_key: mpl-2.0
label: Restricted License
- license_key: gpl-3.0
label: Prohibited License
Licenses are referenced by the
A Policy is defined with
compliance_alertaccepts 3 values: ‘’ for an empty string, warning, and error.
When the policy feature is enabled, the
compliance_alert values are
displayed in the UI and returned in all downloadable results.
Check out the License Policies and Compliance Alerts tutorial for in-depth coverage of this feature.
The number of objects display per page for each object type can be customized with the following setting:
A numeric value indicating the number of objects returned per page in the REST API:
Using a large page size may have an impact on performances.
By default, only a minimum of logging messages is displayed in the console, mostly to provide some progress about pipeline run execution.
DEBUG value can be provided to this setting to see all ScanCode.io debug
messages to help track down configuration issues for example.
This mode can be enabled globally through the
Or, in the context of running a scanpipe command:
$ SCANCODEIO_LOG_LEVEL=DEBUG bin/scanpipe [command]
The web server can be started in DEBUG mode with:
$ SCANCODEIO_LOG_LEVEL=DEBUG make run
A string representing the time zone for the current ScanCode.io installation. By
UTC time zone is used:
You can view a detailed list of time zones here.
External services (integrations)
A public instance of PurlDB is accessible at https://public.purldb.io/.
Alternatively, you can deploy your own instance of PurlDB by following the instructions provided in the documentation at https://purldb.readthedocs.io/.
To configure your local environment, set the
PURLDB_URL in your
While using the public PurlDB instance, providing an API key is optional.
However, if authentication is enabled on your PurlDB instance, you can provide the
API key using
To configure your local environment, set the
VULNERABLECODE_URL in your
When using the public VulnerableCode instance, providing an API key is optional.
However, if authentication is enabled on your VulnerableCode instance,
you can provide the API key using