Concourse-CI

Integrating FOSSA with Concourse-CI

This guide is for you to set up a FOSSA project with a Concourse-CI workflow.

Getting started

Integrating FOSSA with your Concourse-CI pipeline uses fossa-cli our open source dependency analysis client, to be installed on your CI machine. The client supports all 3 major operating systems (Unix, Darwin/OSX and Windows).

While we do not need to locally download the fossa-cli client in configuring FOSSA for Concourse-CI, you may want to for testing purposes. To test the CLI, you can install it in your local environment using the command below or download it directly from our Github Releases page in order to test your API key and get a better understanding of the FOSSA build, test and analyze process.

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

# view `fossa` help text
fossa --help

Get your FOSSA API key

First, grab a FOSSA API Key from your FOSSA account under your Integration Settings.

Keep this FOSSA API key handy as you will need to add it as an environment variable to your CI machine.

Set up your Concourse-CI environment

Once the environment variable is ready, it's time to edit your CI configuration file.
In this example we take an existing build and test example of a node app and add a job that will chain after the build and test and run the fossa-cli

---
resources:
  - name: nodejs.org-git
    type: git
    icon: github-circle
    source:
      uri: https://github.com/nodejs/nodejs.org.git

jobs:
  - name: build_and_test
    public: true
    plan:
      - get: nodejs.org-git
        trigger: true
      - task: run-tests
        config:
          platform: linux
          image_resource:
            type: registry-image
            source: {repository: node, tag: "8"}
          inputs:
            - name: nodejs.org-git
          run:
            path: /bin/sh
            args:
              - -c
              - |
                cd nodejs.org-git
                npm install
                npm test

Add FOSSA steps to your Concourse-CI configuration file

Next, add a second job to to run the fossa command order to upload dependency data from your build.

We recommend inserting the following in your configuration file under the first job that builds your code so that fossa will still have access to a freshly-built environment before any tests run:

- name: fossa_run
    public: true
    plan:
      - get: nodejs.org-git
        passed: [build_and_test]
        trigger: true
      - task: run-fossa
        config:
          platform: linux
          image_resource:
            type: registry-image
            source: {repository: node, tag: "8"}
          inputs:
            - name: nodejs.org-git
          run:
            path: /bin/sh
            args:
              - -c
              - |
                echo "Node Version: $(node --version)"
                echo "NPM Version: $(npm --version)"
                curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
                cd nodejs.org-git
                fossa analyze
                fossa test
          params:
            FOSSA_API_KEY: ((fossa_api_key))

You will now want to configure the pipeline using the fly command. e.g. fly -t tutorial set-pipeline -p fossa-example-pipeline -c pipeline.yml

Once this is done you will then need to add the parameter. e.g. fly -t tutorial sp -c pipeline.yaml -p fossa-example-pipeline -v fossa_api_key=agreatbigapikey

Now with every CI build, you will be uploading a dependency report back to your hosted FOSSA instance.

Example pipeline.yml configuration

The full pipeline.yml configuration is included below.

---
resources:
  - name: nodejs.org-git
    type: git
    icon: github-circle
    source:
      uri: https://github.com/nodejs/nodejs.org.git

jobs:
  - name: build_and_test
    public: true
    plan:
      - get: nodejs.org-git
        trigger: true
      - task: run-tests
        config:
          platform: linux
          image_resource:
            type: registry-image
            source: {repository: node, tag: "8"}
          inputs:
            - name: nodejs.org-git
          run:
            path: /bin/sh
            args:
              - -c
              - |
                echo "Node Version: $(node --version)"
                echo "NPM Version: $(npm --version)"
                cd nodejs.org-git
                npm install
                npm test
  - name: fossa_run
    public: true
    plan:
      - get: nodejs.org-git
        passed: [build_and_test]
        trigger: true
      - task: run-fossa
        config:
          platform: linux
          image_resource:
            type: registry-image
            source: {repository: node, tag: "8"}
          inputs:
            - name: nodejs.org-git
          run:
            path: /bin/sh
            args:
              - -c
              - |
                echo "Node Version: $(node --version)"
                echo "NPM Version: $(npm --version)"
                curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
                cd nodejs.org-git
                fossa analyze
                fossa test
          params:
            FOSSA_API_KEY: ((fossa_api_key))

📘

Customizing with .fossa.yml

To customize your fossa task behavior, add a .fossa.yml file to the root of your VCS.

View the .fossa.yml reference on GitHub.