Repository Scanning

By default, all projects imported into FOSSA through a service or VCS are enrolled in "Repository Scanning".

In this model, when your code is updated in GitHub, Bitbucket or any known service, FOSSA will automatically pull the latest updates into a build container and analyze it for dependencies.

Since FOSSA is operating with raw code, in this approach FOSSA must "guess" the dependencies you would bring in during a build. This is done with a combination of techniques involving static code analysis, incremental builds, and configuration inference.

Repository Scanning is best for when...

  • You want a quick & dirty start to test all integrations
  • You want to bulk-audit 100s of repositories
  • You have numerous but relatively simple / small codebases

Refer to the language documentation for more technical detail on how FOSSA analyzes dependencies in Repository Scanning.