FAQs
You can’t find what you’re looking for? Below you’ll find answers to a few of our frequently asked questions.
How can I run a scan?
You simply start by creating a new project and run the appropriate pipeline.
ScanCode.io offers several Built-in Pipelines depending on your input, see above.
Which pipeline should I use?
Selecting the right pipeline for your needs depends primarily on the type of input data you have available. Here are some general guidelines based on different input scenarios:
If you have a Docker image as input, use the docker pipeline.
For a full codebase compressed as an archive, choose the scan_codebase pipeline.
If you have a single package archive, opt for the scan_package pipeline.
When dealing with a Linux root filesystem (rootfs), the root_filesystems pipeline is the appropriate choice.
For processing the results of a ScanCode-toolkit scan or ScanCode.io scan, use the load_inventory pipeline.
When you have manifest files, such as a CycloneDX BOM, SPDX document, lockfile, etc., use the inspect_manifest pipeline.
For scenarios involving both a development and deployment codebase, consider using the deploy_to_develop pipeline.
These pipelines will automatically execute the necessary steps to scan and create the packages, dependencies, and resources for your project based on the input data provided.
After running one of the above pipelines, you may further enhance your project data by running some of the following additional pipelines:
If you wish to find vulnerabilities for packages and dependencies, you can use the find_vulnerabilities pipeline. Note that setting up VulnerableCode is required for this pipeline to function properly.
To populate the PurlDB with your project discovered packages, use the populate_purldb pipeline. Please ensure that you have set up PurlDB before running this pipeline.
What is the difference between scan_codebase and scan_package pipelines?
The key differences are that the scan_package pipeline treats the input as if it were a single package, such as a package archive, and computes a License clarity and a Scan summary to aggregate the package scan data:
In contrast, the scan_codebase pipeline is more of a general purpose pipeline and make no such single package assumption. It does not not compute such summary.
You can also have a look at the different steps for each pipeline from the Built-in Pipelines documentation.
Can I run multiple pipelines in parallel?
Yes, you can run multiple pipelines in parallel by starting your Docker containers with the desired number of workers using the following command:
docker compose up --scale worker=2
Note
You can also add extra workers by running the command while the ScanCode.io services are already running. For example, to add 2 extra workers to the 2 currently running ones, use the following command:
sudo docker compose up --scale worker=4
Can I pause/resume a running pipeline?
You can stop/terminate a running pipeline but it will not be possible to resume it. Although, as a workaround if you run ScanCode.io on desktop or laptop, you can pause/unpause the running Docker containers with:
docker compose pause # to pause/suspend
docker compose unpause # to unpause/resume
What tool does ScanCode.io use to analyze docker images?
The following tools and libraries are used during the docker images analysis pipeline:
container-inspector and debian-inspector for handling containers and distros.
fetchcode-container to download containers and images.
scancode-toolkit for application package scans and system package scans.
extractcode for universal and reliable archive extraction.
Specific handling of windows containers is done in scancode-toolkit to process the windows registry.
Secondary libraries and plugins from scancode-plugins.
The pipeline documentation is available at Docker Image Analysis and its source code at docker.py. It is hopefully designed to be simple and readable code.
Am I able to run ScanCode.io on Windows?
Yes, you can use the Run with Docker installation. However, please be sure to carefully read the warnings, as running on Windows may have certain limitations or challenges.
Is it possible to compare scan results?
At the moment, you can only download full reports in JSON and XLSX formats. Please refer to our Output Files section for more details on the output formats.
How can I trigger a pipeline scan from a CI/CD, such as Jenkins, TeamCity or Azure Devops?
You can use the REST API to automate your project or pipeline management.