Fossa Analyze Additional Flag Options
Optional flags that modify how fossa analyze discovers and uploads projects.
3 min readUpdated Jul 10, 2026
Overview
This page is going to outline the optional flags that you can pass in when you are running fossa analyze:
| Flag | Description |
|---|---|
--debug | Enable debug logging, and write detailed debug information to fossa.debug.json |
-e,--endpoint URL | The FOSSA API server base URL (default https://app.fossa.com) |
-p,--project ARG | this repository's URL or VCS endpoint (default: VCS remote 'origin') |
-r,--revision ARG | this repository's current revision hash (default: VCS hash HEAD) |
--fossa-api-key ARG | the FOSSA API server authentication key (default:FOSSA_API_KEY from env) |
-c,--config ARG | Path to configuration file including filename (default: .fossa.yml) |
--with-telemetry-scope ARG | Scope of telemetry to use, the options are 'full' or 'off'. (default: 'full') |
-o,--output | Output results to stdout instead of uploading to fossa |
--unpack-archives | Recursively unpack and analyze discovered archives |
--json | Output project metadata as json to the console. Useful for communicating with the FOSSA API |
--include-unused-deps | Include all deps found, instead of filtering non-production deps. Ignored by VSI. |
--debug-no-discovery-exclusion | Ignore filters during discovery phase. This is for debugging only and may be removed without warning. |
--force-vendored-dependency-scan-method METHOD | Force the vendored dependency scan method. The options are 'CLILicenseScan' or 'ArchiveUpload'. 'CLILicenseScan' is usually the default unless your organization has overridden this. |
--force-vendored-dependency-rescans | Force vendored dependencies to be rescanned even if the revision has been previously analyzed by FOSSA. This currently only works for CLI-side license scans. |
-b,--branch ARG | this repository's current branch (default: current VCS branch) |
-t,--title ARG | the title of the FOSSA project. (default: the project name) |
-P,--project-url ARG | this repository's home page |
-j,--jira-project-key ARG | this repository's JIRA project key |
-L,--link ARG | a link to attach to the current build |
-T,--team ARG | this repository's team inside your organization |
--policy ARG | the policy to assign to this project in FOSSA |
--release-group-name ARG | the name of the release group to add this project to |
--release-group-release ARG | the release of the release group to add this project to |
--only-target PATH | Only scan these targets. See targets.only in the fossa.yml spec. |
--exclude-target PATH | Exclude these targets from scanning. See targets.exclude in the fossa.yml spec. |
--only-path PATH | Only scan these paths. See paths.only in the fossa.yml spec. |
--exclude-path PATH | Exclude these paths from scanning. See paths.exclude in the fossa.yml spec. |
--x-vendetta | Analyzes project files on disk to detect vendored open source libraries |
--experimental-enable-binary-discovery | Reports binary files as unlicensed dependencies |
--experimental-link-project-binary DIR | Links output binary files to this project in FOSSA |
--detect-dynamic BINARY | Analyzes dynamically linked libraries in the target binary and reports them as dependencies |
--experimental-skip-vsi-graph LOCATOR | Skip resolving the dependencies of the given project in FOSSA |
DIR | Set the base directory for scanning (default: current directory) |
-h,--help | Show this help text |
-V,--version | show version information and exit (global option) |