fossabot
Automated PR comments and status checks that surface license, security, and quality findings in pull requests.
Overview
fossabot is FOSSA's AI agent for keeping your code healthy. It makes strategic dependency updates, reviews changed code for security issues, and guards against problematic AI-generated code. fossabot works where your engineers already work: in pull requests on GitHub and merge requests on GitLab.
Setup
Install fossabot on your GitHub or GitLab repositories so it can review pull requests and propose dependency upgrades.
fossabot for Dependency Upgrades
fossabot proposes strategic dependency updates, groups related upgrades, and fixes the breaking changes they introduce.
fossabot for SAST Security Review
fossabot reviews the code changed in a pull request for security issues, posting a summary comment and inline findings, and can block merges with a pre-merge check.
fossabot for AI Guardrails
fossabot flags AI-generated code that carries problematic license obligations before it merges, and can enforce this as a pre-merge check.
Supported Ecosystems & Tools
Language and ecosystem support for fossabot's dependency review, dependency PR creation, and SAST review, plus how to configure private registries and code mirrors.
System Architecture
The three data sources fossabot relies on, how your first-party code is handled, and the security boundaries between analysis steps.
Tips for Continuous Integration
How fossabot uses your CI results, and how to make sure bot pull requests have the secrets and UI test coverage they need.
What fossabot does
- Dependency upgrades: Proposes and applies dependency updates, including the large, complex ones, and fixes the breaking changes they introduce.
- SAST security review: Reviews the code changed in a pull request for security issues, with a summary comment and inline findings.
- AI guardrails: Flags AI-generated code that carries problematic license obligations before it merges.
How it works
fossabot draws on three things: your application source code, your third-party dependencies, and hosted AI models from Anthropic. See System Architecture for how these fit together and how your code is isolated.
What's in this section
- Setup: Connect fossabot to your GitHub or GitLab repositories.
- fossabot for Dependency Upgrades: Propose upgrades, group related updates, and fix breaking changes.
- fossabot for SAST Security Review: Catch security issues in changed code before merge.
- fossabot for AI Guardrails: Block AI-generated code with license problems.
- Supported Ecosystems & Tools: Language support and private registry configuration.
- System Architecture: Data sources and security boundaries.
- Tips for Continuous Integration: Get more out of fossabot by feeding it your CI results.