TRUSCA

TRUSCA — the SCA tool of the TrustedOSS initiative — is a self-hosted, Apache-2.0 Software Composition Analysis (SCA) platform. It unifies CVE tracking, license compliance, and SBOM management in a single web UI — without the per-seat licensing of commercial products.

Where to start

• Try it in 5 minutes → Quickstart — one command, preloaded with a realistic demo dataset.
• Install on your own host → Docker Compose or the Helm chart.
• See how it compares → Comparison — versus commercial SCA, Dependency-Track, and SW360.

What it does

Capability	Detail
Component detection	cdxgen discovers packages across 30+ language ecosystems (npm, Maven, PyPI, Go, Cargo, NuGet, RubyGems, …).
License classification	Allowed / conditional / forbidden tiers, with auto-generated NOTICE files. Forbidden licenses block the build.
Vulnerability detection	Trivy matches components against NVD + OSV + GitHub Advisory + EPSS + KEV via a local DB. New CVEs are picked up automatically on the weekly DB refresh.
Container scanning	Trivy detects OS-package CVEs in container images.
SBOM export	CycloneDX (JSON / XML) and SPDX (JSON / Tag-Value), byte-stable.
CI/CD integration	GitHub Action, GitLab CI template, Jenkinsfile example, REST API + API keys. Build gate exits 1 on Critical CVE or forbidden license.
Workflow	Component approval, append-only audit log, notifications via email / Slack / Teams.
Bilingual	English and Korean — UI, error messages, and this documentation site.

What it is not

• Not a SAST scanner. No source-code analysis for your own code — the portal focuses on third-party components.
• Not a vulnerability database. It consumes feeds (NVD, OSV, GHSA, EPSS, KEV) via Trivy but does not curate them.
• Not a hosted service by default. Ships as docker-compose or a Helm chart you run yourself. A read-only live demo is available.

Project

• License — Apache-2.0.
• Source — github.com/trustedoss/trusca.
• Roadmap — ROADMAP.md.
• Security disclosures — SECURITY.md.
• Architecture and decisions — Architecture reference.