If integrating is not for you, SOOS can still help!  Use the Manifest Scan functionality to scan your projects only when you want or need it.

Performing a Manifest Scan

  1. Within the SOOS application, select QuickScan a File in the left navigation menu.
  2. Here you can upload, or drag & drop, the desired manifest.  The scan will automatically initiate once the manifest type is detected.

    Successful manifest scan SOOS message
    • A warning will be provided if the manifest file exceeds the max size, is an unsupported format, or an unsupported version of a supported format. Supported manifest formats can be found here.
      Rejected manifest message due to unsupported file typeError manifest message due to unknown manifest formatError message due to unsupported manifest version
  3. While the analysis is running, the Recent Scans icon in the left navigation menu will indicate 1 active scan in progress.
    SOOS UI Scan status indicator
  4. Once the analysis is complete, the scan results will display as a project on the dashboard.  
    • The Manifest Scan analysis will determine a project name based on the the manifest content or the file name (if not named in the manifest syntax).
    • Project details for projects created via Manifest Scan will only be updated by performing subsequent Manifest Scans of manifests with the same file name.  To rescan the most recent manifest version to check for any newly reported vulnerabilities use the Rescan option. 

A note about Manifest Scan Dependency Settings

The first time a manifest is uploaded via Manifest Scan, SOOS will always scan the full dependency tree and will include dev dependencies - this is different than defaults used for CI/CD integrated scans which do not include dev dependencies by default. 

These Manifest Scan Dependency Settings will be applied as the Project Configurations defaults and will be used for subsequent scans of the same manifest unless the user makes a change.