Travis CI

Add fossa analyze to your .travis.yml to scan your project on every push.

2 min readUpdated Jul 9, 2026

Overview

Add FOSSA to your Travis CI pipeline to upload dependency data on every build and optionally gate builds on your FOSSA policy status.

Prerequisites

  • A FOSSA API key from Settings → Integrations → API Tokens.

    FOSSA API token creation screen

    Note

    If you maintain a public repository, use a Push Only token. Note that Travis CI's pull request security restrictions may require you to define FOSSA_API_KEY directly in your .travis.yml if you accept PRs from forked repositories.

  • Store the key as a Travis CI environment variable named FOSSA_API_KEY in your repository settings.

    Travis CI repository settings showing environment variables

Adding FOSSA to .travis.yml

  1. 1

    Install the CLI in before_script

    Add a before_script entry to download and install fossa-cli before your build runs:

    YAML
    before_script:  - curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | sudo bash
  2. 2

    Run fossa analyze in script

    In your script section, add fossa analyze after your build steps so FOSSA has access to a fully-built dependency graph:

    YAML
    script:  - <your build command>  - fossa analyze

    Every build will now upload a dependency report to FOSSA.

Note

To control which targets FOSSA analyses, add a .fossa.yml file to the root of your repository. See the .fossa.yml reference on GitHub.

Blocking builds on FOSSA policy status

Add fossa test to your script section after fossa analyze to fail the build when FOSSA detects policy violations:

YAML
script:  - <your build command>  - fossa analyze  - fossa test

fossa test polls FOSSA until the scan result is ready, then exits non-zero if any issues violate your policy, failing the build. The default timeout is 600 seconds (10 minutes). Override it with:

YAML
  - fossa test --timeout 300

See the fossa test reference for details.

Triggering updates via webhook

In exceptional cases you may need Travis CI to notify FOSSA to pull an update directly. This is not required for most users. Use the fossa analyze step above instead.

Add the following to your .travis.yml:

YAML
notifications:  webhooks: https://app.fossa.com/hooks/travisci

Then in FOSSA, go to Project → Settings → Update Hooks and select Travis CI in the dropdown.

© 2026 FOSSA, Inc.support@fossa.com