Scanning Open Source Software Repositories

Manifest offers the ability to scan and evaluate the risk of open-source software hosted on GitHub. To utilize this feature:

1. Go to the Uploads page.
2. Click the "Import OSS" button in the top right.
3. Enter the GitHub URL of the open-source application you would like to scan and evaluate. By default, Manifest will import the latest version of the open source application.
   1. To import a specific version, open the Github link, and go to the "Releases" section on the right-hand sidebar or under the "Code" tab (https://github.com/owner/repo/releases). Copy the version you want to import. Return to Manifest and click on the field under Version and paste the version into the field.
   2. Choose whether you want to to import the library as an active or inactive asset.
4. Click the "Import" button.
5. Go to the Uploads page, and click on the Open Source Ingests tab.
6. Once complete, click the name of the imported asset. This will take you to the Asset view for the open-source repository you selected from GitHub.

In addition to the normal Asset information present throughout the rest of the platform, click the About tab to view additional information about the repository you ingested. This includes key information like top project contributors, their broader contribution history, their location (if available), virus scans via ClamAV, and OpenSSF security score.