TRUSCA — Enterprise OSS Risk Management

One portal, three jobs

Engineering blocks bad builds. Legal closes license risk. Security runs CVE triage. All in one self-hosted UI — no per-seat licensing.

For engineering

Block risky builds in CI

A composite GitHub Action, a GitLab CI template, and a worked Jenkinsfile. Critical CVEs and forbidden licenses fail the build (`exit 1`); PR / MR comments post automatically with a per-finding breakdown.

Learn more →

For legal & compliance

Run license compliance at scale

Allowed / conditional / forbidden classification, declared licenses from cdxgen plus detected first-party licenses from scancode, an approval workflow for conditional components, obligation tracking, and auto-generated NOTICE files.

Learn more →

For security

Triage vulnerabilities the way SOCs work

Trivy-backed detection across NVD + OSV + GitHub Advisory + EPSS + KEV. 7-state CycloneDX VEX triage, EPSS prioritization (column, sort, filter, policy gate), per-finding fix versions, an append-only audit log, and an automatic re-match beat that picks up new CVEs without a manual rescan.

Learn more →

See it in action

A compact, information-dense UI built for engineering, legal, and security teams — risk-first, with detail drawers and inline filters throughout.

Project portfolio list with per-project scan status and inline search, filter, and sort. — Portfolio view — every project, scan status, and risk at a glance.

Vulnerability list showing CVE IDs, severity badges, CVSS, and VEX status workflow. — Vulnerabilities — severity-ranked CVEs with a VEX status workflow.

SBOM tab with download buttons for CycloneDX JSON, CycloneDX XML, SPDX JSON, and SPDX Tag-Value. — SBOM export — CycloneDX and SPDX, ready to download.