Analyzing code composition, automatically finding package manager configuration files, identifying direct and transitive dependencies from open source software, generating the Software Bill of Materials.
Solutions That Work
We are committed to delivering new features that enhance security and transparency of your development process. Here are some of the capabilities available.
Supply chain protection
Protecting against malicious components, including compromised packages, and offering policies to prevent attacks on the software supply chain. Integrating with Nexus Repository Manager and JFrog Artifactory Pro.
Vulnerabilities in Open Source
We collect data from multiple data feeds, including NVD CVE, GHSA, OSV, and more than a dozen of ecosystem feeds. Our process includes de-duplicating records and identifying errors in publicly available data. Private feeds from market experts are available as well. Information is supplemented with data on secure package versions, links to patches and public exploits.
License compatibility
Determining licenses of detected open source components. Checking their compatibility with each other. Monitoring compliance with the organization's licensing policies.
Evaluation of code quality in analyzed products
Analyzing source code for key signs of technical debt, automatically building developer profiles and showing retrospective quality scores over time.
Open Source code inventory
Analyzing code composition, automatically finding package manager configuration files, identifying direct and transitive dependencies from open source software, generating the Software Bill of Materials.
Solutions That Work
We are committed to delivering new features that enhance security and transparency of your development process. Here are some of the capabilities available.
Supply chain protection
Protecting against malicious components, including compromised packages, and offering policies to prevent attacks on the software supply chain. Integrating with Nexus Repository Manager and JFrog Artifactory Pro.
Vulnerabilities in open source
We collect data from multiple data feeds, including NVD CVE, GHSA, OSV, and more than a dozen of ecosystem feeds. Our process includes de-duplicating records and identifying errors in publicly available data. Private feeds from market experts are available as well. Information is supplemented with data on secure package versions, links to patches and public exploits.
License compatibility
Determining licenses of detected open source components. Checking their compatibility with each other. Monitoring compliance with the organization's licensing policies.
Evaluation of code quality in analyzed products
Analyzing source code for key signs of technical debt, automatically building developer profiles and showing retrospective quality scores over time.
Open source code inventory
Analyzing code composition, automatically finding package manager configuration files, identifying direct and transitive dependencies from Open Source software, generating the Software Bill of Materials.
Solutions That Work
We are committed to delivering new features that enhance security and transparency of your development process. Here are some of the capabilities available.
Supply chain protection
Protecting against malicious components, including compromised packages, and offering policies to prevent attacks on the software supply chain. Integrating with Nexus Repository Manager and JFrog Artifactory Pro.
Vulnerabilities in open source
We collect data from multiple data feeds, including NVD CVE, GHSA, OSV, and more than a dozen of ecosystem feeds. Our process includes de-duplicating records and identifying errors in publicly available data. Private feeds from market experts are available as well. Information is supplemented with data on secure package versions, links to patches and public exploits.
License compatibility
Determining licenses of detected open source components. Checking their compatibility with each other. Monitoring compliance with the organization's licensing policies.
Evaluation of code quality in analyzed products
Analyzing source code for key signs of technical debt, automatically building developer profiles and showing retrospective quality scores over time.
What can CodeScoring do
CodeScoring is installed as an on-premise solution and ensures security at all stages of software development
02 Software composition analysis
CodeScoring SCA module
Software inventory: building SBoM and dependency graph, integrating checks into CI pipeline with blocking security and license compatibility policies
Checking open source at every stage of development cycle
Automatically detecting Open Source dependencies
Checking Docker-images and system packages
Configuring security policies using 30+ criteria
Providing information on detected vulnerabilities and licenses
Graph of component relations
03 Quality analysis
CodeScoring TQI module
Analysis of the organization's proprietory code: determining the composition of developers, assessing quality parameters over time to track operational risks
Analysis of code quality
Building profiles of developers with proven competence in projects
Functionality for internal recruiting
Determining key signs of tech debt
Reports and integration into development lifecycle
01 Protection of supply chain
CodeScoring OSA module
Checking and filtering components entering the organization's perimeter based on security risks
Protection against malicious components, including compromised packages
Policies to prevent popular attacks on software supply chain
Management of detected vulnerabilities
Integration with Nexus Repository Manager and Jfrog Artifactory PRO
Identification of sensitive information in source code. Machine learning model is applied to reduce the volume of false positives
Secrets identification
Scan configuration management
True positives / False positives markup
Evaluation of findings (ML)
Alexey Smirnov, CEO Profiscope
«CodeScoring is suitable for banks, IT companies, telecom operators, healthcare companies, computer security companies and other organizations that care about security and the quality of their products»
Profiscope
We have been working with global open source database since 2011. Since 2019 we have been organizing a conference on CodeMining source code analysis in OpenDataScience. In January 2021, we released the commercial version of CodeScoring to the secure development tools market.
> 200m
> 30 experts
> 5 years
Analyzed Open Source projects and libraries
Developing the platform, collecting and analyzing the data on global Open Source and its vulnerabilities
Experience in conducting tech audits and developing in-house code analyzers
Check components at each stage of the software development lifecycle, a separate policy can be configured for each stage
Public OpenSource registries
Project assembly in CI pipeline+
Safe product
Source code control
Proxy repositories
Проверка компонентов в прокси-репозиториях: блокирование вредоносных и особо уязвимых пакетов
Проверка в рамках конвейера разработки: от сканирования директории с кодом, проверки артефактов до сканирования образов
Регулярная проверка исходных кодов которые ещё не дошли до сборки и уведомление ответственных. Рекуррентное сканирование кода и SBoM.
Convenient UI
CodeScoring provides a comfortable experience and clear interface to solve your problems
Working with dependencies
We have implemented a handy interactive relationship graph where you can immediately understand the relationships between components and get detailed information on problematic dependencies.
Convenient UI
CodeScoring provides a comfortable experience and clear interface to solve your problems
Working with dependencies
We have implemented a handy interactive dependency graph where you can immediately understand the relationships between components and get detailed information on problematic dependencies
Request a demo
Here you can request a demo, check pricing, get an educational license, or partner with us.