Concourse CI

Add a FOSSA scan job to your Concourse CI pipeline.

3 min readUpdated Jul 9, 2026

Overview

Add FOSSA to your Concourse CI pipeline to upload dependency data and gate builds on policy status with every run.

Prerequisites

  • A FOSSA API key from Settings → Integrations → API Tokens.

    FOSSA API token creation screen
  • The FOSSA CLI available in your pipeline's build environment. To test it locally before wiring it into your pipeline:

    Shell
    curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashfossa --help

Adding FOSSA to your pipeline

The FOSSA job runs after your existing build-and-test job, downloads the CLI, and runs fossa analyze and fossa test against your freshly-built code. The API key is injected via Concourse's params block so it never appears in source control.

  1. 1

    Add the fossa_run job to your pipeline.yml

    Add the following job after your existing build job under jobs:. It chains off build_and_test (adjust passed: to match the name of your own build job):

    YAML
    - name: fossa_run  public: true  plan:    - get: nodejs.org-git      passed: [build_and_test]      trigger: true    - task: run-fossa      config:        platform: linux        image_resource:          type: registry-image          source: {repository: node, tag: "lts"}        inputs:          - name: nodejs.org-git        run:          path: /bin/sh          args:            - -c            - |              echo "Node Version: $(node --version)"              echo "NPM Version: $(npm --version)"              curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash              cd nodejs.org-git              fossa analyze              fossa test        params:          FOSSA_API_KEY: ((fossa_api_key))

    fossa analyze uploads dependency data to FOSSA. fossa test polls FOSSA for the scan result and exits non-zero if any issues violate your policy, failing the build.

  2. 2

    Set the pipeline with fly

    Apply the updated pipeline configuration:

    Shell
    fly -t <target> set-pipeline -p <pipeline-name> -c pipeline.yml

    Then pass in your FOSSA API key as a pipeline variable:

    Shell
    fly -t <target> set-pipeline -c pipeline.yml -p <pipeline-name> -v fossa_api_key=<your-api-key>

    Every subsequent build will upload a dependency report to FOSSA and block on policy failures.

Full pipeline.yml example

The complete pipeline below builds and tests a Node.js project, then runs FOSSA in a chained job:

YAML
---resources:  - name: nodejs.org-git    type: git    icon: github-circle    source:      uri: https://github.com/nodejs/nodejs.org.git jobs:  - name: build_and_test    public: true    plan:      - get: nodejs.org-git        trigger: true      - task: run-tests        config:          platform: linux          image_resource:            type: registry-image            source: {repository: node, tag: "lts"}          inputs:            - name: nodejs.org-git          run:            path: /bin/sh            args:              - -c              - |                echo "Node Version: $(node --version)"                echo "NPM Version: $(npm --version)"                cd nodejs.org-git                npm install                npm test   - name: fossa_run    public: true    plan:      - get: nodejs.org-git        passed: [build_and_test]        trigger: true      - task: run-fossa        config:          platform: linux          image_resource:            type: registry-image            source: {repository: node, tag: "lts"}          inputs:            - name: nodejs.org-git          run:            path: /bin/sh            args:              - -c              - |                echo "Node Version: $(node --version)"                echo "NPM Version: $(npm --version)"                curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash                cd nodejs.org-git                fossa analyze                fossa test          params:            FOSSA_API_KEY: ((fossa_api_key))

Note

To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.

© 2026 FOSSA, Inc.support@fossa.com