Glossary

GlossaryKey terms and concepts used throughout the Ossprey documentation and product.
﻿
Decision workflow within OsspreyDecision workflow within Ossprey
﻿
SBOM (Software Bill of Materials)A structured inventory of all software packages and dependencies in a project. Ossprey generates an SBOM by analysing your package manifest files (e.g. package.json, requirements.txt, poetry.lock), then submits it to the Ossprey service for malware and vulnerability analysis. SBOMs are the foundation of software supply chain security — they let you know exactly what's in your software.
ScanThe process of analysing a project's dependency tree for malicious packages and known vulnerabilities. A scan begins with SBOM generation (identifying all packages), followed by submission to the Ossprey service for analysis against our threat intelligence database. Scans can be triggered via the dashboard, the GitHub integration, or the CLI.
VerdictThe outcome of a scan for a given package. Possible verdicts include Safe (no issues detected), Malicious (intentionally harmful code identified), and Suspicious (concerning behaviour that warrants investigation).
Scan jobThe unit of work that processes a scan request on the Ossprey backend. A scan job progresses through statuses — typically queued, in progress, and succeeded (or failed). You can track scan job progress from the dashboard or via the CLI's verbose output.
Malicious packageA software package identified as containing intentionally harmful code. Common attack vectors include data exfiltration (stealing environment variables, credentials, or files), backdoors (providing remote access to attackers), typosquatting (mimicking popular package names with slight misspellings), and dependency confusion (exploiting private/public package name collisions).
GitHub AppThe mechanism by which Ossprey integrates with GitHub. The Ossprey GitHub App is installed at the organisation or account level and grants read access to repository metadata and package manifests, enabling automated scanning on push, PR, or schedule. It does not access source code.
EcosystemA package registry and its associated tooling — for example, npm (JavaScript), PyPI (Python), Maven (Java), Cargo (Rust). Ossprey supports scanning packages across multiple ecosystems.
CycloneDXAn open standard for SBOMs that Ossprey uses internally. The Ossprey CLI generates CycloneDX-compatible SBOMs using the cyclonedx-python-lib library.
﻿
This glossary will grow as Ossprey evolves. If you encounter a term that isn't listed here, let us know at  support@ossprey.com .