Scanning Open Source Software Repositories

Manifest offers the ability to scan and evaluate the risk of open-source software hosted on GitHub. To utilize this feature:

1. Go to the Uploads page.
2. Click the "Import OSS" button in the top right.
3. Enter the GitHub URL of the open-source application you would like to scan and evaluate. By default, Manifest will import the latest version of the open source application, but you can also type in the exact version that you are looking for into the field. You can also choose to import the application as an active or inactive asset.
4. Click the "Import" button.
5. Go to the Uploads page, and click on the Open Source Ingests tab.
6. Once complete, click the name of the imported asset. This will take you to the Asset view for the open-source repository you selected from GitHub.

In addition to the normal Asset information present throughout the rest of the platform, click the About tab to view additional information about the repository you ingested. This includes key information like top project contributors, their broader contribution history, their location (if available), virus scans via ClamAV, and OpenSSF security score.