Generic CI
Integrate FOSSA into any CI system not covered by a dedicated guide.
Overview
Add FOSSA to any CI pipeline to upload dependency data on every build and optionally gate builds on your FOSSA policy status. The steps below apply to any CI system; adapt the syntax to your platform's configuration format.
Prerequisites
A FOSSA API key from Settings → Integrations → API Tokens.

Store the key as a CI environment variable named
FOSSA_API_KEY. Most CI systems have a secrets or environment variables UI in their project settings; never commit the key to source control.
Running fossa analyze
- 1
Install the FOSSA CLI
Add a step early in your build, before tests run, to download and install the CLI:
Shellcurl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | sudo bashPlace this after your dependency install commands (e.g.
npm install,bundle install) so the CLI has access to a fully-built environment. - 2
Run fossa analyze
Immediately after your build steps, add:
Shellfossa analyzeThis uploads a dependency snapshot to FOSSA. Run it before tests so FOSSA always sees a complete, freshly-built dependency graph.
Every build will now upload a dependency report to your FOSSA instance.
Note
To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.
Blocking builds on FOSSA policy status
Add a fossa test step after fossa analyze to fail the build when FOSSA detects policy violations:
fossa testfossa test polls FOSSA until the scan result is ready, then exits non-zero if any issues violate your policy. The default timeout is 600 seconds (10 minutes); override it with:
fossa test --timeout 300See the fossa test reference for details.