Generic CI

Integrate FOSSA into any CI system not covered by a dedicated guide.

2 min readUpdated Jul 9, 2026

Overview

Add FOSSA to any CI pipeline to upload dependency data on every build and optionally gate builds on your FOSSA policy status. The steps below apply to any CI system; adapt the syntax to your platform's configuration format.

Prerequisites

  • A FOSSA API key from Settings → Integrations → API Tokens.

    FOSSA API token creation screen
  • Store the key as a CI environment variable named FOSSA_API_KEY. Most CI systems have a secrets or environment variables UI in their project settings; never commit the key to source control.

Running fossa analyze

  1. 1

    Install the FOSSA CLI

    Add a step early in your build, before tests run, to download and install the CLI:

    Shell
    curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | sudo bash

    Place this after your dependency install commands (e.g. npm install, bundle install) so the CLI has access to a fully-built environment.

  2. 2

    Run fossa analyze

    Immediately after your build steps, add:

    Shell
    fossa analyze

    This uploads a dependency snapshot to FOSSA. Run it before tests so FOSSA always sees a complete, freshly-built dependency graph.

Every build will now upload a dependency report to your FOSSA instance.

Note

To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.

Blocking builds on FOSSA policy status

Add a fossa test step after fossa analyze to fail the build when FOSSA detects policy violations:

Shell
fossa test

fossa test polls FOSSA until the scan result is ready, then exits non-zero if any issues violate your policy. The default timeout is 600 seconds (10 minutes); override it with:

Shell
fossa test --timeout 300

See the fossa test reference for details.

© 2026 FOSSA, Inc.support@fossa.com