Get started with CLI




We recommend starting by Quick Importing your entire GitHub organization to get rapid coverage over your projects. You can then selectively integrate the CLI on projects where Quick Import's static analysis results are inaccurate or noisy.

The most accurate way to integrate FOSSA is to analyze code locally with FOSSA CLI, our open source build client fossa-cli.

This method requires a working build, but is the most performant, accurate, and secure method of integration.

Pick this method if:

  • You don’t want to give FOSSA servers access to your code (due to IT, policy or logistical reasons)
  • You need accurate and performant build results
  • You already have a configured build environment in a CI or local dev machine
  • You've already tried Quick Import for this project, but need to use more advanced configuration or build analysis to get results at the desired level of accuracy


Recommended for Technical Users

This method requires use of a Command Line Interface and knowledge of your codebase. If you're not a developer yourself, we recommend getting a developer to help you—or you can try our Quick Import method.

Get Started

Click Integrate Locally (CLI) to start importing your project.

Click View Guide to access the installation instructions.

Install the client with this one-line terminal command (Windows, Mac, Linux).

curl -H 'Cache-Control: no-cache' | bash
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString(''))"

You can also download directly from our Releases page. Refer to our documentation on GitHub or Supported Languages for in-depth configuration advice.

This import method takes advantage of existing build environments to integrate with your build tool and perform build and dynamic analysis. Therefore, it can provide better accuracy for complex codebases where Quick Import and its static analysis results are inaccurate or noisy.

What’s Getting Uploaded?

Using FOSSA’s CLI is secure. It does not grant FOSSA any code access and will only send back public dependency signatures to You can directly output what is getting uploaded by running fossa analyze -o and even inspect our code on GitHub to understand the exact behavior.

Example output for a project may be:

    "Name": "fossa-cli",
    "Type": "golang",
    "Manifest": "",
    "Build": {
      "Dependencies": [
          "locator": "$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
          "data": {
            "name": "",
            "version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"