Architectural Overview

When FOSSA is installed behind your firewall, it will run an environment that's fully sealed within your organization.

Key Factors

  1. No proprietary code will ever leave your premises
  2. No scan data, signatures or hints are ever sent to FOSSA's servers — custom OSS database is fully built and maintained on premise
  3. Installing FOSSA creates no additional InfoSec footprint. FOSSA will download and analyze 3rd-party code anonymously from the web, equivalent to current behavior on developer machines or CI environments

For security info about our hosted version or development process, please visit

Importing from Custom URLs or Code Hosts

By default, FOSSA works best with rich service brokers (like Github, Bitbucket, Gitlab). However if you have code living in a custom code or artifact host, FOSSA's on-prem version can import from a raw URL:

FOSSA supports any URL from supported VCS, artifact hosts/registries and tools that live inside your intranet. After importing custom code, FOSSA will scan it for all branches/tags and set up automatic updates/tracking for the default branch:

By default, FOSSA will enable daily or hourly scans on your default branch. If FOSSA finds any issues, it will notifying you with email reports that will link back to your dashboard where you can analyze and fix the issue:

Congrats! Now you have compliance running internally at your company in the background of your workflow.

Hooking Into Development

If you'd like to surface/enforce its checks deeper within your organization, you can easily configure it to add more feedback to your internal tools.

Importing through Github, Gitlab or Bitbucket will immediately prepare deeper integrations that you can toggle including:

  • Continual per-commit scanning via Webhooks
  • Automated code review (pull request) feedback / blocking
  • Issue tracker syncing
  • Continuous integration and test integrations
  • Commit status integration

FOSSA also comes with a full suite of integrations into other tools that will work all on-premises:

See our full integration directly at or docs on how to set these up.