Documentation
OPEN FOSSA APP
Start typing to search…

Snippet Scanning

Overview

Snippet Scanning allows FOSSA to identify where sections of your first-party source code may have originated from open source projects — and what license obligations that may create. Rather than only analyzing declared package dependencies, Snippet Detection examines the actual contents of your code files to find matches against a database of open source code.

This is useful when:

  • Your codebase includes code that was copied or adapted from open source libraries without being declared as a dependency.
  • You want to ensure license compliance covers code that was inlined, vendored, or manually incorporated.
  • You need a more complete picture of the open source components present in your software.

Availability: Snippet Detection is a paid feature. Contact your FOSSA account team to enable it for your organization.

How It Works

When you run a snippet scan, FOSSA:

  1. Fingerprints your source files — The FOSSA CLI analyzes the files in your project and generates fingerprints for each one.
  2. Matches against an open source code index — Fingerprints are compared against a database of known open source code to identify potential matches.
  3. Resolves matched packages — FOSSA identifies the open source packages associated with the matched code snippets and builds them, so that license and issue data is available for them.
  4. Surfaces results in the UI — Snippet matches appear in the Snippets tab of your project inventory, alongside their associated license and issue information.

Running a Snippet Scan

Snippet scanning is initiated via the FOSSA CLI using the --snippet-scan flag:

fossa analyze --snippet-scan

This flag instructs the CLI to fingerprint your project's files and submit snippet analysis results alongside the standard dependency analysis.

Note: If a snippet scan was not run, the Snippets tab in FOSSA will show a "Snippet analysis has not been run on this revision" message.

Viewing Snippets

Navigate to your project in FOSSA and select Inventory → Snippets from the project sub-navigation.

The Snippets page displays all snippet matches found in the current revision, organized in a two-panel layout:

  • Left panel — File tree: Browse your project's directory structure. Click a folder to filter the snippet list to files within that path.
  • Right panel — Snippet table: Displays each detected snippet with its matched open source package, version, number of matches, and any associated license or security issue counts.

Snippet Table Columns

ColumnDescription
PackageThe name and version of the open source package the snippet was matched to.
MatchesThe number of files in your project where this snippet was detected.
LicensesLicenses associated with the matched open source package.
IssuesAny license or security issues associated with the matched package (when issue scanning is enabled).

Grouping

Use the Group by dropdown to switch between two views:

  • Ungrouped — Each snippet match is listed individually.
  • By Package — Snippet matches are grouped by the open source package they were matched to, making it easier to review all matches for a given dependency at once.

Snippet Details

Click any row in the snippet table to open the Snippet Details drawer. The drawer has three tabs:

Details Tab

Provides an overview of the snippet match, including:

  • The matched open source package name, version, and ecosystem.
  • The number of matches found in the current revision.
  • License information for the matched package.
  • Any associated license or security issues (if issue scanning is enabled for snippets).

Compare Code Tab

Shows a side-by-side comparison of your source code and the matched open source code for each individual file where the snippet was detected. Use the match list on the left to navigate between individual file matches.

From this tab, you can reject or stop rejecting individual file matches (see Managing Rejections).

Labels Tab

Displays any package labels that have been applied to the matched open source package. Labels are only available when the snippet has been successfully resolved to a known FOSSA package.

Filtering and Searching

The Snippets page provides several ways to narrow your results:

Search

Type in the search bar to filter snippets by package name.

Rejection Status

Filter snippets by their rejection status:

  • Active — Snippets that have not been rejected.
  • Rejected — Snippets that have been marked as rejected.

Package Labels

Filter snippets by the labels applied to their matched packages (e.g., "Testing only", "Internal use only").

Managing Rejections

Rejecting a snippet tells FOSSA to exclude it from issue scanning and compliance reporting. This is appropriate when a match is a false positive, or when you've determined that the snippet doesn't carry license obligations for your use case.

Rejecting Snippets

  1. Select one or more snippets using the checkboxes in the snippet table (or select all using the header checkbox).
  2. Click the Actions dropdown and choose Reject matches.

To reject a single file-level match (rather than all matches for a snippet):

  1. Open the snippet's details drawer.
  2. Navigate to the Compare Code tab.
  3. Select the specific file match you want to reject.
  4. Click Reject.

Note: Rejections apply at the project level — they are not scoped to a specific revision. A rejection created for one revision of a project will apply to all other revisions of the same project.

Stopping Rejections

To restore a snippet or match that was previously rejected:

  1. Filter by Rejected status to find the snippet.
  2. Select the snippet(s) and choose Stop rejecting from the Actions dropdown.

To unreject a specific file-level match:

  1. Open the snippet's details drawer.
  2. Navigate to the Compare Code tab.
  3. Select the rejected file match (indicated by a banner).
  4. Click Stop Rejecting.

Comparing Snippets Between Revisions

FOSSA can compare snippet results between two revisions of the same project, allowing you to see which snippets are new, which have been removed, and which remain unchanged.

To start a comparison:

  1. Navigate to Inventory → Snippets for a project.
  2. Click the Compare button in the top-right of the Snippets page.
  3. Select the older revision you want to compare against.

The comparison view organizes snippets into three categories in a side navigation:

CategoryDescription
NewSnippets present in the current revision but not in the older revision.
RemovedSnippets present in the older revision but not in the current one.
UnchangedSnippets present in both revisions.

Each category shows a count badge. All filtering, searching, and rejection functionality is available within the comparison view.

Note: Rejecting or unrejecting snippets in the Removed category operates on the older revision, since those snippets don't exist in the current one.

Issue Scanning for Snippets

FOSSA can scan snippet matches for licensing and security issues, just as it does for declared dependencies. This is configured independently for each issue type at the project settings level.

To enable issue scanning for snippets:

  1. Go to your project's Settings → Issues.
  2. Under the Licensing or Security section, enable the Scan for Snippets toggle.

When enabled, any snippet matches that have not been rejected will be included in issue scans. Issues arising from snippet matches will appear in the project's Issues tab alongside issues from declared dependencies.

Issue scanning for snippets requires the Snippet Detection feature to be enabled for your organization.

Snippets in Reports

Snippet matches can be included in reports as Snippet Dependencies.

Licensing Reports

Snippet dependencies can be optionally included in all five Licensing report formats:

FormatSnippet Behavior
HTML, PDF, MarkdownSnippet dependency revisions are included in the full dependency list.
CSVAn optional Snippet Dependencies section is included.
PlaintextSnippet dependency revisions appear with a Package Depth of Snippet.

SBOM Reports

All four SBOM report formats support optional inclusion of snippet dependencies. In SBOM reports, the package associated with a snippet is treated as a direct dependency and appears in the dependency relationship graph accordingly.

Issue information for snippets is only included in reports when the corresponding issue scanning setting (Licensing or Security) is enabled for snippets on the project.

Frequently Asked Questions

What types of projects support snippet scanning? Snippet scanning is supported for source-based project types. If you navigate to the Snippets tab on an unsupported project type, FOSSA will indicate that snippet analysis is not available for that project.

Are rejections revision-specific? No. Rejections are applied at the project level, meaning a rejection for a given snippet and file path will carry over across all revisions of the same project.

Do snippet issues appear alongside dependency issues? Yes. When issue scanning is enabled for snippets, any issues generated from snippet matches appear in the same Issues view as your dependency issues. They are marked with additional metadata that indicates they originate from a snippet match.

Do rejected snippets affect reports? Yes. Rejected snippets are excluded from issue scanning and are not included in report output.

Can I filter the issue list to show only snippet-related issues? Snippet-related issues are included in the standard issues list. Refer to the Issues documentation for available filter options.


Updated about 8 hours ago