Scanning Open Source Software Repositories

Manifest offers the ability to scan and evaluate the risk of open-source software hosted on GitHub or GitLab. To utilize this feature:

1. Go to the Uploads page.
2. Click the "Import OSS" button in the top right.
3. Paste the GitHub or GitLab URL of the open-source application you would like to scan and evaluate.
4. By default, Manifest will import the latest version. To specify a version you would like to import, click “specific version” and enter the version:
   1. For Github, open the Github link, and go to the "Releases" section on the right-hand sidebar or under the "Code" tab (https://github.com/owner/repo/releases). Copy the version you want to import.
   2. For Gitlab, go to the project page and click the dropdown with the branch/tag name (e.g. main, master). Scroll through the list to find the version you want to import. Copy the version name, return to Manifest, and paste it into the field.
5. Choose whether you want to import the library as an active or inactive asset.
6. Click the "Import" button.
7. On the Uploads page, you will automatically be redirected to the Open Source Ingests tab.
8. Once complete, click the name of the imported asset. This will take you to the Asset view for the open-source repository you scanned.

Assets of the scans imported via the ‘Import OSS’ functionality, include key information such as top project contributors, their contribution history, their location (if available), virus scans via ClamAV, and OpenSSF security score.