Quality Policies

Create and configure quality policies that control which dependency-health and supply-chain-risk issues FOSSA flags across your projects.

4 min readUpdated Jul 9, 2026

Enterprise feature

Available on: Business, Enterprise.

Check with your FOSSA account team to confirm what's enabled for your organization.

Overview

A quality policy defines which dependency-health and supply-chain-risk problems FOSSA raises as issues. Use one to keep dependencies up to date, block specific packages, and turn on FOSSA's risk-intelligence signals. Once configured, a policy can be set as the organization default or applied to individual projects.

How quality policies work

When FOSSA scans a project, the quality scanner evaluates each dependency against the active quality policy. A policy holds these rule types:

Rule typeWhat it does
Stale Package PreventionFlags dependencies that are further behind the latest release than you allow, by semantic-version distance (configurable per major, minor, and patch), by ordered versions, or both.
Blocked PackagesFlags dependencies your organization has deny-listed. Blocked packages also fail fossa test in CI/CD.
AbandonwareA risk-intelligence signal that flags packages with no new publish for two years. Available for npm, PyPI, and Maven.
Empty PackageA risk-intelligence signal that flags packages shipping no runnable code. Available for npm, PyPI, and Maven.
Native CodeA risk-intelligence signal that flags packages embedding compiled binaries. Available for npm and PyPI.

See Understanding Quality Issues for a detailed breakdown of each signal.

Creating a quality policy

  1. 1

    Open the Policies page

    Navigate to Policies in the top navigation, then select the Quality tab.

    Quality tab of the Policies page
  2. 2

    Create the policy

    Click Create Policy, confirm Type is set to Quality, enter a Title and optional Description, then submit.

    Create Quality Policy dialog

The policy is created with no rules configured. Proceed to Configuring policy rules to define thresholds.

Configuring policy rules

  1. 1

    Enable Stale Package Prevention

    Open the policy and enable rules to flag packages by semantic version, ordered versions, or both. A package matching either rule is flagged as an issue.

    Stale Package Prevention configuration
  2. 2

    Enable risk-intelligence rules

    Turn on the Abandonware, Empty Package, and Native Code signals you want FOSSA to flag for projects using this policy.

    Risk Intelligence rules with Abandonware, Empty Package, and Native Code toggles
  3. 3

    Save

    Save the policy to apply your changes. The rules take effect on the next completed scan.

Blocking a package

Blocked packages are managed from the Packages inventory rather than the policy editor, and are attached to a quality policy.

  1. 1

    Find the package

    Go to the Packages inventory and search or filter to the package you want to block.

  2. 2

    Block it

    Use Block package to block all versions, or select specific versions to block.

    Block package dialog
  3. 3

    Attach to a quality policy

    Select the quality policy the blocked-package rule should apply to, then confirm. Projects using that policy will flag the blocked package, and fail fossa test if it is present.

Setting the organization default

The organization default policy applies to all projects that have not been assigned a specific quality policy.

  1. 1

    Open Settings

    Click your username in the top-right corner and select Settings.

    User settings dropdown
  2. 2

    Navigate to Issue Policies

    Go to Organization > Projects > Issue Policies.

  3. 3

    Assign the default policy

    Under Quality, select your policy from the Default quality policy dropdown, then click Save. To push the new default to existing projects, use Propagate settings….

    Quality section of Default Issue Policies Settings with the Default quality policy dropdown

Applying a policy to a project

  1. 1

    Open project settings

    Go to your project list, select the project, then navigate to Settings > Issue Policies.

  2. 2

    Assign the policy

    Under Quality, select a policy from the Default quality policy dropdown, then click Save.

  3. 3

    Run a new scan

    Trigger a new scan. The updated policy applies to issues generated by the next completed scan.

© 2026 FOSSA, Inc.support@fossa.com