FOSSA CLI
Analyze dependencies, test policies, and generate reports from the command line.
Overview
The FOSSA CLI analyzes your project's dependencies from the command line, on your machine or in CI, and uploads the results to FOSSA for license, security, and quality analysis. For most projects it works with zero configuration: install the CLI, set your API key, and run fossa analyze.
Because it reads dependencies straight from your build, the CLI is the most accurate way to get a project into FOSSA. See Project Setup for how it compares to Quick Import and the other import methods, and CI/CD scanning to run it automatically on every build.
These docs are organized into Concepts (how analysis works), Walkthroughs (step-by-step integration guides), Features (specific capabilities like container and vendored-dependency scanning), and References (every command, configuration file, and troubleshooting guide). Browse them below or from the sidebar. Not sure what the CLI sends to FOSSA? See what data gets uploaded.
Concepts
Features
Regular Expression Syntax for Custom License and Keyword Searches
Custom License and Keyword Searches use version 1.
Custom-License and Keyword Searches
FOSSA offers the ability to search your codebase using regular expressions and to report matches.
First-Party License Scans
First-party license scans allow you to find licenses in your project's code.
Manually specifying dependencies
FOSSA offers a way to manually upload dependencies provided we support the dependency type.
Snippet Scanning
EnterpriseSnippet scanning identifies potential open source code snippets within your first-party source code by comparing file fingerprints against FOSSA's knowledge …
Strategy command selection
In some strategies, FOSSA CLI uses actual package managers or build tools in order to analyze the dependencies of a project.
Vendetta
Vendetta is the name of FOSSA's vendored dependency identification feature.
License scanning local dependencies
FOSSA offers the ability to license scan your code directly.
Walkthroughs
Analyze only a set of targets
Control which build targets the CLI discovers and how paths map to analyzers.
Analyzing the Android Open Source Project
Integrate FOSSA with Android Open Source Project builds and custom Android distributions.
Scanning Buildroot Projects
Scan Buildroot-based embedded Linux projects for license and security compliance with FOSSA.
Custom Integration with Conan Package Manager
Set up FOSSA CLI analysis for C and C++ projects that use the Conan package manager.
Integrating Container Scanning in CI
Run container image analysis and policy tests in a generic CI pipeline.
Custom Integration using fossa-deps
Example of declaring custom or non-standard dependencies with fossa-deps for Bower.
Installing Fossa CLI
Download and install the FOSSA CLI on macOS, Linux, and Windows.
Quick Start
Configure your API key and run your first analyze and test cycle with minimal setup.
Using FOSSA CLI with HTTP Proxies
Route CLI traffic through corporate HTTP proxies using standard environment variables.
Custom SSL Certificate with fossa-cli
Point the CLI at custom root certificate stores for TLS in locked-down networks.
What Data Gets Uploaded to FOSSA's Servers
Types of data the CLI sends to FOSSA during analyze, including dependencies, vendored code, and telemetry.
Scanning Yocto Projects
Analyze and report the runtime packages of a Yocto image build to FOSSA using the meta-fossa layer.