The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Getting Started

The Jenkins integration requires fossa-cli our open source dependency analysis client, to be installed on your CI machine. The client supports all 3 major operating systems (Unix, Darwin/OSX and Windows).

To test the CLI, you can install it in your local environment using the command below or download it directly from our Github Releases page.

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
# view `fossa` help text
fossa --help

Configure your Jenkins Environment

First, grab a FOSSA API Key from your FOSSA account under your Integration Settings.

NOTE: If you are the maintainer of a public repository you should consider making your API key a Push Only Token.

Then, add it to your Jenkins environment variables as FOSSA_API_KEY:

Add FOSSA steps to your Jenkins Pipeline

Add FOSSA Analyze step. This typically follows the “Build Code” step as all dependencies should be present for FOSSA Analyze.

Pipeline Example:

node {   def registry = 'registry.hub.docker.com/xxxxxx/test'
   def registryCredential = 'dockerhub'
    
    stage('Git') {
        git 'https://github.com/xxxxx/jenkins_neuvector.git'
    }
    stage('Build Code') {
        
        sh 'npm install'
    }
    stage('Fossa Analyze') {
        sh 'curl -H \'Cache-Control: no-cache\' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash'
        sh 'fossa init'
        sh 'FOSSA_API_KEY=XXXXXXXXXXXXXXXXXXXX fossa analyze'
    }
    stage('Building image') {
       docker.withRegistry( 'https://' + registry, registryCredential ) {
            def buildName = registry + ":$BUILD_NUMBER"
            newApp = docker.build buildName
            newApp.push()
       }
    }
    stage('Registering image') {
       docker.withRegistry( 'https://' + registry, registryCredential ) {
           newApp.push 'latest2'
       }
    }
   stage('Removing Local image') {
       sh "docker rmi $registry:$BUILD_NUMBER"   }}
   }
}

Now with every CI build, you will be uploading dependency data for analysis back to FOSSA.
Blocking CI Builds w/ FOSSA Issue Status
You can also create a step in Jenkins that will allow you to pass/fail a build based off your scan status in FOSSA.
To accomplish this, simply add a call to fossa test into your test section.

stage(FOSSA Test') {
       sh 'FOSSA_API_KEY=XXXXXXXXXXXXXXXXXXXX fossa test –debug 2>$ARTIFACTS/fossa-test-stderr'   }

The fossa test command will poll app.fossa.io or your local FOSSA appliance for updates on your scan status until it gets a response. Then, it will report a relevant exit status to the CI step (to block a failing build) and render rich details about issues directly inline your Jenkins test results.
You can customize a timeout on this step using the fossa test --timeout {seconds} flag documented here.
The default timeout is set to 600 seconds (10 minutes), but will only be hit in exceptional cases -- most scans should return well under the timeout window.

Updated 10 months ago

Jenkins


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.