Jenkins

Install the FOSSA CLI on your Jenkins agent and add build steps to run fossa analyze and fossa test.

2 min readUpdated Jul 9, 2026

Overview

Add FOSSA to your Jenkins pipeline to upload dependency data on every build and optionally gate builds on your FOSSA policy status.

Prerequisites

  • A FOSSA API key from Settings → Integrations → API Tokens.

    Note

    If you maintain a public repository, use a Push Only token so the key cannot be used to read sensitive data from your FOSSA account.

  • Store the key as a Jenkins credential. In Jenkins, go to Manage Jenkins → Credentials and add a Secret text credential with the ID FOSSA_API_KEY. Then expose it to your pipeline using the withCredentials or environment block (see the examples below).

Adding FOSSA to your Jenkinsfile

Running fossa analyze

Add a Fossa Analyze stage immediately after your build stage, before tests run, so FOSSA has access to a freshly-built dependency graph:

Groovy
pipeline {    agent any    environment {        FOSSA_API_KEY = credentials('FOSSA_API_KEY')    }    stages {        stage('Checkout') {            steps {                git 'https://github.com/your-org/your-repo.git'            }        }        stage('Build') {            steps {                sh 'npm install'            }        }        stage('Fossa Analyze') {            steps {                sh 'curl -H \'Cache-Control: no-cache\' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash'                sh 'fossa analyze'            }        }    }}

The environment block injects the credential as $FOSSA_API_KEY, which the CLI picks up automatically. Every build will upload a dependency report to FOSSA.

Note

To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.

Blocking builds on FOSSA policy status

Add a Fossa Test stage to fail the build when FOSSA detects policy violations:

Groovy
        stage('Fossa Test') {            steps {                sh 'fossa test'            }        }

fossa test polls FOSSA until the scan result is ready, then exits non-zero if any issues violate your policy, blocking the build. The default timeout is 600 seconds (10 minutes). Override it with:

Groovy
sh 'fossa test --timeout 300'

See the fossa test reference for details.

Full Jenkinsfile example

Groovy
pipeline {    agent any    environment {        FOSSA_API_KEY = credentials('FOSSA_API_KEY')    }    stages {        stage('Checkout') {            steps {                git 'https://github.com/your-org/your-repo.git'            }        }        stage('Build') {            steps {                sh 'npm install'            }        }        stage('Fossa Analyze') {            steps {                sh 'curl -H \'Cache-Control: no-cache\' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash'                sh 'fossa analyze'            }        }        stage('Test') {            steps {                sh 'npm test'            }        }        stage('Fossa Test') {            steps {                sh 'fossa test'            }        }    }}
© 2026 FOSSA, Inc.support@fossa.com