Frequently Asked Questions


WhiteSource automates the entire process of open source component selection, approval and management, including detection and remediation of security and compliance issues. It integrates with all stages of your software development lifecycle (SDLC) to alert in real time and help you fix issues faster and easier.

Our plugins integrate with your repositories, build tools, CI servers and more. It calculates the digital signature for all your components without ever scanning your code. It then cross-references the digital signatures with the ones in the WhiteSource database to detect the open source components in your products. An immediate up-to-date report is generated with all components and issues detected. It does that every time you run your build.

No. WhiteSource for Containers is part of the WhiteSource product. It integrates with more than 15 different tools: CI/CD, build tools, image registries, and containers management platforms, to give you an updated view of your container’s lifecycle. You can also define automated policies to block unwanted open source components from entering your containers.

The WhiteSource database is the biggest and most mature database of open source vulnerabilities. It contains more than 300,000 vulnerable components which are aggregated from the CVE/NVD, and various other sources like the GitHub issue tracker, security advisories, and open source projects issue trackers.

WhiteSource uses a proprietary patented algorithm that matches between vulnerability and only the impacted version, thus guaranteeing no false positives that waste developers’ time.

Yes, WhiteSource enforces policies automatically throughout the software development process. You can define your policies according to security vulnerabilities severity, open source license type, software bugs severity, age of a component and many more. You can approve, reject, initiate an approval flow or open an issue ticket based on your criteria and definitions.

In addition, WhiteSource also offers a browser extension, which notifies your developers if a certain component meets your organization’s policies while searching online in the worldwide web without downloading the component.

We offer a variety of reports that will help you monitor all of your open source activity such as an Inventory report, due diligence report, high severity bugs report and vulnerability report and many more. You can see some examples at the bottom of this page.

WhiteSource is a cloud-based service, but we also offer an on-premise option, if necessary. It’s important to emphasize that we do not scan your code. We also offer a dedicated instances option.

Yes, some of our plugins can be used on isolated environments. The plugin generates the update request, saves the request locally as a text file. This file is then moved to an online environment from which it can be uploaded either automatically or manually to WhiteSource.

WhiteSource browser integration supports Google Chrome. We’re looking to extend it to additional browsers in future releases.

Yes, your WhiteSource administrator needs to send you an email invitation to use the browser integration. It is a simple and quick process.

The browser integration supports any Web page with a mention of an open source component. You just need to click on the toolbar icon to initiate the scan. It automatically scans web pages and detect package references. It support Mvn repository, Maven central, RubyGem, Pypi, NpmJs, Nuget, StackOverFlow and many more.

You will need to click on the WhiteSource icon on your browser’s toolbar. Identified open source components will have a special WhiteSource icon near them, together with an indication on the level of security vulnerabilities associated with the component.

You can click on the icon to get the details results.

WhiteSource Prioritize uses groundbreaking new technology to enable organizations to check if and how their software projects are affected by employed open source software components that are reported to have security vulnerabilities.

WhiteSource for Developers is a new product offered to WhiteSource Core customers that aims to make developers work simpler when using open source. It includes the following four tools:

  1. WhiteSource Remediate
  2. IDE Integration
  3. Repo Integration
  4. Browser Integration (formerly called Web Advisor or Selection Tool)

WhiteSource for Developers supports WhiteSource for GitHub Enterprise, Bitbucket server and Advise for Chrome.


A scan takes just a few seconds and has no impact on your build.

We only calculate digital signatures without scanning your code and compare them to the digital signatures of the open source components in our database.

We take pride in developing patented algorithms that assure no false positives.

WhiteSource does not scan your code at all. It only calculates the digital signature of your components and cross reference it against WhiteSource’s database. Our default is to detect the delta from build to build for maximum efficiency.

Of course. We support Go, Swift and many more languages, including APK enabling us to detect open source components in a delivered software package.

Yes. We detect all open source components, including their direct and transitive dependencies.

No – WhiteSource Prioritize does not pass proprietary code. It passes information pertaining to traces of proprietary code calls to open source components, including function name, line number of function call, name for file featuring the function call, identifier for vulnerability reported for a pertinent open source library (e.g., CVE), and vulnerable element[s] in the library.

WhiteSource Prioritize supports analysis of the following projects: Java, Scala, Kotlin projects (with Maven or Gradle web app as well as POJO projects), and JavaScript (npm). Support for additional environments will be considered for a future release.

WhiteSource Prioritize was designed for high performance and scales to accommodate projects ranging from extremely small (a handful of libraries and dependencies) to extremely large projects (thousands of libraries and dependencies). The design underlying WhiteSource Prioritize enables it to complete analysis for projects with several hundreds of dependencies in mere minutes.


WhiteSource supports more than 200 programming languages like Java, C++, .NET, PHP, python and more.

We support many repositories, build tools, package managers, CI servers and more. You can check our integration page for more details.

WhiteSource for Containers integrates with Docker, JFrog Artifactory, Amazon ECR, Azure Container Registry, and Google Container Registry.

Yes. We support all the above managed service providers.

If you cannot find your desired tool, you can also use our Unified Agent for integration.

Yes. we offer REST APIs.

Yes, we offer this kind of integration. You need to enter your issue tracker credentials, and then form a policy with an “Issue” action, and choose the issue tracker you are using.

Yes. WhiteSource’s utilizes the issue tracker’s generic API to generate new ticket creation requests. In most issue trackers, the same API request is used for both SaaS and On-Premise deployments, so as long as your instance allows external incoming API requests, and the server where the instance resides is accessible from outside the organizational network, the integration should function properly.

Yes. The WhiteSource Bitbucket Server Integration detects open source components in each repository, alerts on vulnerable components in real-time, and combined with Code Insights for Bitbucket server, provides detailed information about the vulnerabilities to help developers make informed decisions about remediation. It also enforces organizational open source security policies automatically and generates automatic pull requests (PR) to fix open source security vulnerabilities.

This integration is available only for WhiteSource users.

WhiteSource for Developers supports GitHub Enterprise, and Bitbucket server.


Our standard SLAs are:

Severity 16 hours24 hours
Severity 224 hours10 business days
Severity 348 hours21 business days
Severity 448 hoursN/A

Most of our communication is done via e-mails and comments in the support tickets.

When needed we conduct meetings over the phone but don’t offer phone support as a standard part of our service.

We Support our customers remotely. In on-premises installations we conduct hands on sessions with the customers to jointly connect to the environment and troubleshoot.

In such cases, where a critical issue cannot be resolved remotely, we also support on site visits to ensure quick turnarounds.

Yes, you can read more information here.

Yes, WhiteSource is ISO27001 certified.

The onboarding process is included in our pricing. As part of it, we escort our customers during the whole deployment process: plugin integration, platform configuration, understanding reports and dashboards and analyzing data provided by WhiteSource. We also share best practices and suggest known processes so the maximum value can be driven from our tool.


“Contributing Developer” means any employee or contractor who during the term of the agreement accesses or uses the WhiteSource Program or any engineer, developer or other person that writes, develops or modifies the Customer’s, or Customer’s affiliate’s, code being scanned or monitored by the WhiteSource Program.  For the avoidance of doubt, the same individual will not be counted more than once even if acting in two separate roles such as a developer and platform user.

WhiteSource automates and manages open source components throughout the Software Development Life Cycle (SDLC). Therefore, pricing based on the number of Contributing Developers best reflects the impact of our solution, without limiting you to artificial factors such as size of code or number of scans.

No. The number of portal users does not reflect the work that is actually being performed in order to support these developers. We find that many organizations can even manage their open source usage with a limited number of portal users, for example by leveraging our APIs and consume our data outside the web portal.

Yes. WhiteSource offers one comprehensive solution that includes the full extent of our database with vulnerabilities from the CVE and dozens of other sources and unlimited capabilities (unlimited number of plugins, unlimited number of users, unlimited number of policies, and more).

No. We believe that only through continuous monitoring can our customers take full advantage of WhiteSource’s capabilities. Our recommended practice is to activate our plugins with every commit, or nightly build, and therefore we offer an unlimited number of scans.

​No. ​We take pride in offering a transparent, simple, and predictable pricing.

We price per Contributing Developers, since we know managers have a better visibility into the growth of their head count rather than the size of their software or lines of code.

WhiteSource Prioritize is not included in the cost of WhiteSource Core. WhiteSource customers interested in WhiteSource Prioritize should approach their account representative.

Still have questions? Call us or email at [email protected]