Scanning Yocto Projects

Analyze and report the runtime packages of a Yocto image build to FOSSA using the meta-fossa layer.

2 min readUpdated Jul 9, 2026

Overview

This guide explains how to integrate FOSSA into a Yocto-based build for license and security compliance scanning. FOSSA supports Yocto builds via meta-fossa, a Yocto layer that analyzes and reports the runtime packages of a Yocto image build to FOSSA.

Note

Supported Yocto versions

The meta-fossa layer is published per Yocto release as a dedicated branch. Check out the branch that matches your Yocto version:

Yocto VersionBranch
dunfelldunfell
honisterhonister
kirkstonekirkstone
mickledoremickledore

Quickstart

  1. 1

    Check out the FOSSA layer

    Clone meta-fossa, replacing dunfell with your Yocto version:

    Shell
    git clone https://github.com/fossas/meta-fossa.git -b dunfell
  2. 2

    Check out Yocto

    If you do not already have a Yocto build environment, clone Poky on the matching branch:

    Shell
    git clone git://git.yoctoproject.org/poky.git -b dunfell
  3. 3

    Activate the Yocto build environment

    Source the build environment script:

    Shell
    cd poky && source oe-init-build-env
  4. 4

    Add and inherit the meta-fossa layer

    Register the layer and configure your build to inherit it:

    Shell
    # Add the meta-fossa layerbitbake-layers add-layer ../../meta-fossa/echo 'BBLAYERS += "${TOPDIR}/../../meta-fossa"' >> conf/local.conf # Inherit the FOSSA layerecho 'INHERIT += "fossa"' >> conf/local.conf
  5. 5

    Set your FOSSA API key

    Add your API key to the build configuration:

    Shell
    echo 'FOSSA_API_KEY = "<VALID-FOSSA-API-KEY>"' >> conf/local.conf
  6. 6

    Build your image

    Run your build as usual. The FOSSA layer analyzes the runtime packages as part of the build:

    Shell
    bitbake core-image-minimal
  7. 7

    View the results

    When the build completes, FOSSA logs the project URL:

    Shell
    [ INFO] Using project name: `core-image-minimal`[ INFO] Using revision: `qemux86-64-20230103233003`[ INFO] Using branch: `dunfell`[ INFO] ============================================================[ INFO][ INFO]     View FOSSA Report:[ INFO]     https://app.fossa.com/projects/<YOUR-PROJECT-URL-HERE>[ INFO][ INFO] ============================================================

    Open the project URL to review license compliance and security issues.

Note

If license or security issues are found, the build fails with an error. This behavior can be disabled. See the GUIDE.md on your branch of the meta-fossa repository for details.

Resources

© 2026 FOSSA, Inc.support@fossa.com