Concourse CI
Add a FOSSA scan job to your Concourse CI pipeline.
Overview
Add FOSSA to your Concourse CI pipeline to upload dependency data and gate builds on policy status with every run.
Prerequisites
A FOSSA API key from Settings → Integrations → API Tokens.

The FOSSA CLI available in your pipeline's build environment. To test it locally before wiring it into your pipeline:
Shellcurl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashfossa --help
Adding FOSSA to your pipeline
The FOSSA job runs after your existing build-and-test job, downloads the CLI, and runs fossa analyze and fossa test against your freshly-built code. The API key is injected via Concourse's params block so it never appears in source control.
- 1
Add the fossa_run job to your pipeline.yml
Add the following job after your existing build job under
jobs:. It chains offbuild_and_test(adjustpassed:to match the name of your own build job):YAML- name: fossa_run public: true plan: - get: nodejs.org-git passed: [build_and_test] trigger: true - task: run-fossa config: platform: linux image_resource: type: registry-image source: {repository: node, tag: "lts"} inputs: - name: nodejs.org-git run: path: /bin/sh args: - -c - | echo "Node Version: $(node --version)" echo "NPM Version: $(npm --version)" curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash cd nodejs.org-git fossa analyze fossa test params: FOSSA_API_KEY: ((fossa_api_key))fossa analyzeuploads dependency data to FOSSA.fossa testpolls FOSSA for the scan result and exits non-zero if any issues violate your policy, failing the build. - 2
Set the pipeline with fly
Apply the updated pipeline configuration:
Shellfly -t <target> set-pipeline -p <pipeline-name> -c pipeline.ymlThen pass in your FOSSA API key as a pipeline variable:
Shellfly -t <target> set-pipeline -c pipeline.yml -p <pipeline-name> -v fossa_api_key=<your-api-key>Every subsequent build will upload a dependency report to FOSSA and block on policy failures.
Full pipeline.yml example
The complete pipeline below builds and tests a Node.js project, then runs FOSSA in a chained job:
---resources: - name: nodejs.org-git type: git icon: github-circle source: uri: https://github.com/nodejs/nodejs.org.git jobs: - name: build_and_test public: true plan: - get: nodejs.org-git trigger: true - task: run-tests config: platform: linux image_resource: type: registry-image source: {repository: node, tag: "lts"} inputs: - name: nodejs.org-git run: path: /bin/sh args: - -c - | echo "Node Version: $(node --version)" echo "NPM Version: $(npm --version)" cd nodejs.org-git npm install npm test - name: fossa_run public: true plan: - get: nodejs.org-git passed: [build_and_test] trigger: true - task: run-fossa config: platform: linux image_resource: type: registry-image source: {repository: node, tag: "lts"} inputs: - name: nodejs.org-git run: path: /bin/sh args: - -c - | echo "Node Version: $(node --version)" echo "NPM Version: $(npm --version)" curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash cd nodejs.org-git fossa analyze fossa test params: FOSSA_API_KEY: ((fossa_api_key))Note
To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.