AI coding assistants have become nearly ubiquitous in modern software development. According to a recent GitHub survey, upwards of 97 percent of developers report using these tools, in pursuit of benefits like improved code quality and development velocity.
However, for all the promise of generative AI in application development, there are also potential risks. These include the possibility that developers may inadvertently violate open source licensing terms by using AI output that matches code upon which the AI was trained — code that carries specific licensing obligations.
In this scenario, the end-user (e.g. developer) is responsible for compliance, even though they may not be aware of their obligations in the first place.
That's why, as part of our ongoing effort to provide customers with the most comprehensive set of license compliance management tools possible, we're proud to announce the release of FOSSA Snippet Scanning. FOSSA Snippet Scanning is a modern snippet detection solution designed to help organizations combat AI-related IP legal risks — without slowing AI-fueled innovation.
Why FOSSA Snippet Scanning
Snippet scanning isn't a new practice, per se. In the pre-AI days, some teams used snippet scanning tools to protect against license compliance risks associated with copying code snippets from places like Stack Overflow.
Unfortunately, the earlier generation of snippet scanning tools was plagued by an extremely high false positive rate and the need for extensive manual intervention. These factors, coupled with the fact that organizations could conceivably implement policies preventing developers from copying and pasting chunks of code from public forums in the first place, made snippet scanning a lower-priority initiative for most of our customers.
There have been two big changes in the past few years that led to today's launch of FOSSA Snippet Scanning:
- AI coding assistants have been broadly adopted — engineering teams want to use them, and legal teams want to enable engineering to use them while remaining compliant. And, while one of the first AI coding tools (GitHub Copilot) offered strong legal protections to safeguard paying customers against litigation, newer tools don't necessarily provide such guarantees.
- FOSSA's product and engineering teams have conducted continuous R&D to understand the viability of producing a low-noise snippet scanning solution. Our confidence gradually increased in our ability to do so until it reached an inflection point.
FOSSA Snippet Scanning gives our customers a solution with several critical capabilities:
- Performant: While legacy snippet scanning tools can take hours to work, FOSSA Snippet Scanning completes most scans in under five minutes.
- Focused: Traditional snippet scanning tools often surface too many matches, resulting in hours of manual legal toil. FOSSA Snippet Scanning uses a multi-step ranking algorithm to prioritize the most relevant snippet matches based on provenance, component metadata and health, and match score.
- Actionable: FOSSA Snippet Scanning seamlessly fits within our existing, best-in-class license compliance workflows. You'll be able to easily create and modify policies, see and meet snippet-related compliance requirements, produce (and automatically update) attribution reports, and more for snippets just like you would dependencies.
How FOSSA Snippet Scanning Works
Organizations can initiate the snippet scanning workflow locally, as part of a pull request workflow, or in CI/CD pipelines — essentially anywhere the FOSSA CLI can be run.
The results of your scan will be shown in the “Inventory” tab in the FOSSA UI. There are two parts of the Inventory dropdown — dependencies and snippets. Just like with dependencies, teams can produce SBOMs and license attribution reports that include snippet information.
Each snippet entry includes the following information:
- Package name and version for the original, full open source component.
- Detected licenses associated with the original, full open source component; these are categorized “approve,” “flag,” or “deny” based on your organization's licensing policies within FOSSA.
- Match confidence level based on the percent of the snippet code that's also contained in the full file.
- Number of matching files to help you determine how widespread the snippet is in your project.
Example FOSSA Snippet Scanning Workflow
Now, let's take a step-by-step look at what an end-to-end FOSSA Snippet Scanning workflow might look like.
- Start the snippet scanning workflow like you would a standard dependency scan, with the
fossa-analyzecommand and append the--x-snippet-scancommand. FOSSA will then analyze your projects and surface dependencies and code snippets in the Inventory tab of the FOSSA UI, along with any Issues we detect in the "Issues" tab. Enable license scanning for snippets from the project settings page to have licensing issues generated based on snippets. - Inspect details and confirm matches by comparing the first-party code to the third-party code match. Review file and folder structure to determine where the snippet was discovered. Filter matches based on match confidence. Reject matches that are deemed to be insignificant.
- Filter and prioritize issues. You can filter issues specifically to "Snippets" when viewing results, separating them from full dependency issues. From there, you can prioritize based on factors like Issue Type (denied license, flagged license, undeclared license, or unconcluded license), when the Issue was first discovered, license name, and more.
- Remediate issues. You can open a ticket to remove the problematic snippet or ignore the issue. (Note that FOSSA Snippet Scanning supports Ignore Rules, so you will have the ability to ignore the detected issue for all semantic versions of the affected package.)
- Track and report on changes. Generate SBOM and licensing reports that optionally include snippets; FOSSA will automatically add accepted snippet matches to your SBOM and license attribution reports should you desire. Additionally, you can track changes between software revisions (FOSSA highlights added/removed snippets between scans) to ensure traceability.
Getting Started with FOSSA Snippet Scanning
While snippet scanning was a relatively low-priority initiative for many organizations in years past, the spread of AI coding assistants — and the accompanying IP legal risks — has elevated its importance for many of our customers. FOSSA Snippet Scanning was specifically designed for this use case, so we encourage organizations concerned about their AI coding tool-related risk exposure to give the product a try. Though, we should note that FOSSA Snippet Scanning is also an effective solution for traditional snippet detection use cases, such as chunks of code that are copied and pasted from sites like Stack Overflow.
FOSSA Snippet Scanning is currently available as a paid subscription offering. We encourage existing FOSSA customers interested in learning more to contact your customer success representative. If you aren't currently a FOSSA customer, feel free to get in touch with our team for a demo and more information.