fossabot

Automated PR comments and status checks that surface license, security, and quality findings in pull requests.

1 min readUpdated Jul 9, 2026

Overview

fossabot is FOSSA's AI agent for keeping your code healthy. It makes strategic dependency updates, reviews changed code for security issues, and guards against problematic AI-generated code. fossabot works where your engineers already work: in pull requests on GitHub and merge requests on GitLab.

What fossabot does

  • Dependency upgrades: Proposes and applies dependency updates, including the large, complex ones, and fixes the breaking changes they introduce.
  • SAST security review: Reviews the code changed in a pull request for security issues, with a summary comment and inline findings.
  • AI guardrails: Flags AI-generated code that carries problematic license obligations before it merges.

How it works

fossabot draws on three things: your application source code, your third-party dependencies, and hosted AI models from Anthropic. See System Architecture for how these fit together and how your code is isolated.

What's in this section

© 2026 FOSSA, Inc.support@fossa.com