Why CI/CD Integration Delivers the Best Results

Why running FOSSA in your build pipeline produces the most accurate dependency analysis.

2 min readUpdated Jul 9, 2026

Overview

To get the most accurate and complete picture of your software's open source components, FOSSA works best when integrated into your CI/CD pipeline, the stage where your application is built.

During the build process, FOSSA can access and run the same package managers (such as npm, Maven, or pip) that your application uses to pull in dependencies. This lets it build a complete and precise dependency map (including both direct and indirect (transitive) components) based on what is actually resolved in the build.

This approach is called the dynamic strategy: FOSSA dynamically runs package manager commands to discover the exact set of dependencies in use.

By contrast, when FOSSA runs only through a source control (SCM) integration like GitHub, it relies on reading static manifest files in the repository (such as package-lock.json or requirements.txt) and inferring the dependency graph, because it cannot run the build or package manager commands. This static approach still provides valuable insights, but it may miss details, especially when:

  • lock files are missing or outdated
  • custom or nonstandard build steps are involved
  • dependencies are generated dynamically at build time

Dynamic strategies run only in the FOSSA CLI, and they allow FOSSA to:

  • Run package managers (npm, Maven, pip, etc.) directly
  • Detect all dependencies, including indirect (transitive) ones
  • Reflect the exact components that will ship in production

FOSSA supports different analysis strategies for different languages. For details on how the CLI discovers and analyzes dependencies, see the FOSSA CLI documentation and CLI scanning.

Static vs. dynamic strategy: an analogy

Think of it this way:

  • Dynamic strategy (used in the CLI and CI/CD integration) is like looking inside a fully baked cake to see exactly which ingredients were used, based on what the kitchen (your build process) actually mixed and baked. FOSSA runs the package managers and sees exactly which dependencies were pulled in, giving you a precise, real-world picture of what is in your software.
  • Static strategy (used in SCM integrations like GitHub) is like reading a recipe on paper and guessing what went into the cake based only on the listed ingredients, without watching what the kitchen actually did. FOSSA reads files in your repository to infer dependencies, but if those files are missing, outdated, or incomplete, the results can be less reliable.

By plugging FOSSA into your CI/CD pipeline, you let it run the dynamic strategy (for supported languages) and see the full picture, helping you catch all licenses, security issues, and hidden components with confidence.

Benefits of CI/CD integration

  • Most accurate dependency graph
  • Stronger license and security risk insights
  • Less manual effort and fewer surprises downstream

Summary

For the most accurate and comprehensive scan results, we recommend running FOSSA inside your CI/CD pipeline. This gives your team the most complete and actionable results, helping you meet compliance and security goals with confidence.

© 2026 FOSSA, Inc.support@fossa.com