GitHub Actions
Run fossa analyze and fossa test in a GitHub Actions workflow with the official FOSSA Action.
Overview
The official FOSSA Action runs the FOSSA CLI inside your GitHub Actions workflow. At minimum it needs an API key. It installs the latest CLI, runs fossa analyze on your checked-out code, and can optionally gate the build with fossa test.
When to use this
This is the fastest way to get dynamic analysis from a GitHub project. It sits between the two other GitHub options:
- GitHub App / GitHub OAuth: source-host import. Minimal setup, but FOSSA runs the build itself. Best when you want managed, hands-off scanning and don't need to reproduce a real build.
- GitHub Actions (this page): minimal setup and dynamic analysis. The Action runs in your actual workflow, so FOSSA sees the real, freshly-built dependency graph (a CI/CD scan) without you hand-writing CLI install scripts.
- Generic CI: the manual equivalent if you outgrow the Action or need full control over the CLI invocation.
Note
The Action is intended as a quick, easy entry point. For more customization, or to scan on Windows runners (which the Action does not support), integrate the FOSSA CLI directly in your workflow instead.
Prerequisites
A FOSSA API key from Settings → Integrations → API Tokens.
Note
If you maintain a public repository, use a Push Only token so the key cannot be used to read sensitive data from your FOSSA account.
A Linux or macOS runner. Windows runners are not supported. Container scanning additionally requires a running Docker daemon, which GitHub's macOS runners do not provide.
Quickstart
- 1
Store your API key as a secret
In your repository, go to Settings → Secrets and variables → Actions and add a secret named
FOSSA_API_KEYset to your API key. Never commit the key to source control. - 2
Add the Action to a workflow
Create or edit a workflow file (for example
.github/workflows/fossa.yml). Check out your code, then add the FOSSA Action:YAMLname: FOSSAon: [push, pull_request] jobs: fossa-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: fossas/fossa-action@main # pin to a specific version if locking is preferred with: api-key: ${{ secrets.FOSSA_API_KEY }}This runs
fossa analyzeand uploads a dependency snapshot to FOSSA on every push and pull request. - 3
Gate the build on policy status
Add
run-tests: trueto fail the build when FOSSA finds license or security issues that violate your policy. A scan must complete first, so run analysis before tests:YAML- uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} run-tests: true
Note
The Action's version does not track the FOSSA CLI version. By default it always installs the latest CLI release. Pin the CLI with pinned-cli-version if you need a fixed version.
Inputs
| Input | Required | Description |
|---|---|---|
api-key | Yes | Your FOSSA API key. |
run-tests | No | Set to true to run fossa test after analysis. Defaults to false. |
container | No | A container name or OCI image path. Runs fossa container analyze (and fossa container test with run-tests). Requires a Docker daemon. |
test-diff-revision | No | Run fossa test --diff <revision> to check only for issues new relative to a revision. Requires run-tests: true. |
generate-report | No | A report format (e.g. html). Generates an attribution report exposed as the report output. |
branch | No | Override the detected FOSSA project branch. |
project | No | Override the detected FOSSA project name. |
team | No | Assign the project to a team by name. Applies only when the project is first created. |
policy | No | Assign a policy to the project by name. Applies only when the project is first created. |
endpoint | No | FOSSA endpoint. Defaults to app.fossa.com. Set this for on-premises instances. |
working-directory | No | The directory to analyze. Defaults to the workspace root. |
include-unused-deps | No | Set to true to pass --include-unused-deps to fossa analyze. No effect when container is set. |
pinned-cli-version | No | Pin the FOSSA CLI to a specific version instead of the latest release. |
debug | No | Set to true to run all FOSSA commands in debug mode and produce a debug bundle. Defaults to false. |
Output: report. When generate-report is set, contains the report contents in the requested format.
Common patterns
Test only new issues on pull requests
Run fossa test against the PR base so the build fails only on issues the PR introduces, not pre-existing ones:
- uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} run-tests: ${{ github.event_name == 'pull_request' }} test-diff-revision: ${{ github.event.pull_request.base.sha }}Container scanning
Scan a built image with fossa container analyze. Replace ubuntu:20.04 with your image:
- uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} container: ubuntu:20.04 run-tests: trueGenerate an attribution report
Capture the report from the step output and write it to a file:
- id: fossa uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} run-tests: true generate-report: html - run: echo '${{ steps.fossa.outputs.report }}' > report.htmlUpload a debug bundle
Run in debug mode and upload the resulting bundle as a build artifact for troubleshooting:
- uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} debug: true - uses: actions/upload-artifact@v4 with: name: fossa.debug.json.gz path: ./fossa.debug.json.gzPoint at an on-premises instance
- uses: fossas/fossa-action@main with: api-key: ${{ secrets.FOSSA_API_KEY }} endpoint: fossa.my-company.comNote
To control which targets FOSSA analyzes, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.