Your First Scan

Create an account, import your first project, read the results, and automate future scans.

3 min readUpdated Jul 9, 2026

Overview

By the end of this guide you'll have a FOSSA account, your first project imported and scanned, and a clear view of its licenses and vulnerabilities, in about five minutes.

1. Create your account

Sign up at the FOSSA signup page. You can register with email or through GitHub, Bitbucket, or GitLab.

Tip

If you'll import via a source host, sign up with that provider (e.g. GitHub). It connects automatically, saving a step later. You can connect or disconnect providers anytime.

2. Import your first project

In FOSSA, go to Projects → Add Project and choose an import method:

  • Quick Import: connect a source host and import repositories in a click. The fastest way to get broad coverage.
  • CLI: run fossa analyze in your build for the most accurate results and no code access for FOSSA.

Not sure which? See CLI vs Quick Import. You can also import containers, binaries, or an SBOM.

Note

Once import finishes, your project appears in the Projects list with a scan in progress.

3. Read your first scan

When the scan completes, open the project. Each FOSSA project is organized into tabs; which tabs you see depends on your plan and whether you're logged into your organization.

TabWhat it shows
SummaryHigh-level counts and status: total dependencies, license count, and issue summary. The starting point for any project.
IssuesLicense violations, compliance alerts, and security vulnerabilities flagged against your policy.
InventoryAll components FOSSA discovered. Has three sub-tabs: Dependencies (direct and transitive packages with licenses), Snippets (Snippet Scanning results), and Vendored (Vendored Dependencies results).
LicensesEvery license detected across your dependency tree, deduplicated and searchable.
ReportsTools to generate attribution notices, SBOMs, and compliance documentation for distribution.
FOSSA project Summary tab showing 64 issues broken down by vulnerabilities and license issues, with dependency and license counts in the sidebar

Enterprise feature

The Snippets and Vendored sub-tabs are gated behind a feature flag and may not be enabled for your organization by default. Reach out to your account team to request access.

Sanity-check your dependency list

Before digging into issues, open the Inventory → Dependencies tab and review what FOSSA found. On a first scan, the total number of dependencies, including transitive ones, is often larger than expected.

Note

If you see many test or documentation packages, FOSSA may be running against a non-production build. Verify that you're analyzing a production artifact, or configure .fossa.yml to exclude the paths you don't want scanned.

Dig into the findings by category: Licenses, Vulnerabilities, and Quality.

4. Automate it

Make FOSSA catch new risk on every build instead of after release:

  • Define a Policy for the licenses and vulnerabilities your organization allows.
  • Add a check to your CI/CD pipeline so builds fail when a policy is violated.

What's next

© 2026 FOSSA, Inc.support@fossa.com