If you use FOSSA's automated build infrastructure, FOSSA will resolve dependencies by attempting to build your codebase via
npm install --production or
yarn install --frozen-lockfile.
If this fails or is disabled by setting
false, FOSSA will fall back to statically analyzing and traversing your package manifests (
By default, FOSSA filters out any
If you are using FOSSA's automated builds, FOSSA will prefer the lockfiles you provide.
If you are using have build scripts that will edit your build behavior, it is recommended that you use Provided Builds.
If you are uploading build results via fossa-cli, the
fossa command will analyze the modules installed in your
node_modules directory after your build command has succeeded.
If you already have a CI running, it is recommended that you use CI/CD Scanning to get accurate results.
You can configure authentication to enable FOSSA to fetch dependencies from authenticated registries such as private
npm packages, private Artifactory instances, or npm Enterprise instances.
After hitting "Save", you should be able to "retry" any unreachable
npm dependencies in FOSSA and begin to analyze them.
Finding Access Credentials
If you don't know your credentials, you can find them in
npm login. Learn more.
npm Enterprise and Artifactory-configured npm registires are only supported in FOSSA on-prem.
To configure authentication on-prem, your FOSSA admin must edit FOSSA's
config.env file with one of two authentication methods. Check your
.npmrc to see which of the two formats below you use.
For newer registries or NPM Enterprise, FOSSA supports tokens for authentication. If you are using this method, you can find a line in your
.npmrc formatted as
AUTH_TOKEN and add the following config:
Many systems still use legacy authentication, especially if you are using a private registry like Artifactory. Look for
username in your
fetchers__npm__auth__email fetchers__npm__auth__token # _auth parameter in .npmrc fetchers__npm__auth__username
After configuring, your FOSSA admin must run
If you are using a private registry like Artifactory for you NPM code, your FOSSA admin can specify a private registry URL:
Often private registries require authentication, which is covered above under Private Packages.
See here for FOSSA's NPM Enterprise integration.
Updated 21 days ago