Project Setup

Get your code into FOSSA — import projects from source hosts, the CLI, or CI, then configure how they're scanned and organized.

3 min readUpdated Jul 9, 2026

Overview

Before FOSSA can flag a license obligation or a vulnerability, it needs to know what's actually in your software. Project setup is how you get that dependency data in.

FOSSA meets your code where it lives, but the methods aren't equal. Running the CLI in your build sees the same dependency graph your package manager resolves (including transitive and build-time dependencies) so it's the most accurate and complete picture FOSSA can get. Wiring that into CI/CD keeps every project current automatically and gates risky changes before they merge. That's the path we recommend for any project you care about.

Tip

Run fossa analyze as a step in your CI/CD pipeline. You get the most accurate results, automatic re-scans on every build, and PR checks that catch new risk before it merges, without granting FOSSA access to your source.

All guides

CLI

Analyze your code locally with the FOSSA CLI and upload the results, the most accurate and secure way to integrate.

Read more

CI/CD Scanning

Provide dependency data from your existing CI/CD environment for faster, more accurate FOSSA scans.

Read more

Pull Request Checks

Block PRs that introduce new license compliance or security violations using FOSSA GitHub status checks.

Read more

Badge Pull Requests

Automatically add a FOSSA license-scan status badge to your GitHub README when you import a project.

Read more

Containers

Scan Docker and OCI container images for open source license and vulnerability issues.

Read more

Snippets

Enterprise

Find open source code copied into your codebase without being declared as a dependency.

Read more

Quick Import

Connect GitHub, GitLab, Bitbucket, or Azure Repos and scan hundreds of repositories in one click.

Read more

Broker

Import internal and firewalled projects into FOSSA with Broker, without sharing source-code access.

Read more

Binaries

Enterprise

Decompose pre-compiled binaries and archives to identify open source components without source-code access.

Read more

SBOM Import

Import a CycloneDX or SPDX SBOM to run license and security compliance checks against its listed components.

Read more

Dependencies

Inspect every dependency FOSSA detected, metadata, license status, filter options, custom licenses, and notice files.

Read more

Package Inventory

Enterprise

Search, filter, and manage every package detected across all of your organization's projects from one place.

Read more

Project Settings

Configure the title, branches, ignored dependencies, labels, VCS host, and visibility for an individual FOSSA project.

Read more

Ignore a Dependency

Exclude a specific package from your project's issue tracking and reporting.

Read more

Project Labels

Create and apply labels to organize projects and filter the dashboard by business context.

Read more

Automatic Updates

Keep FOSSA projects continuously scanned, re-analyze on every new revision and surface new license and security issues automatically.

Read more

Archive Upload

Enterprise

How to upload an archive directly to FOSSA and how it's analyzed, for code that isn't pulled from a package registry.

Read more

Scan Frequency

Schedule recurring scans so FOSSA picks up newly disclosed vulnerabilities and license changes even when your code hasn't changed.

Read more

Notifications

Configure who gets notified and through which channels when FOSSA detects new issues in your projects.

Read more

Issue Scanners

Configure which issue scanners are enabled for your projects and how they gate CI/CD builds.

Read more

Privacy Settings

Control whether a FOSSA project is publicly accessible to anyone with the link or restricted to authenticated members.

Read more

Build History and Rebuilding

View past scans for a project and trigger a rebuild or policy scan from the UI.

Read more

Mediated Dependencies

How FOSSA handles transitive dependencies whose version is resolved by the package manager when multiple constraints conflict.

Read more

Choose your import method

If you want to…UseHow it works
Get the most accurate results, or avoid giving FOSSA code accessCLIAnalyze locally or in CI; upload only dependency signatures
Keep every project current and gate risky changesCI/CD scanningRun the CLI in your pipeline with PR checks
Analyze container imagesContainersfossa container analyze on Docker or OCI images
Find open source copied into your own codeSnippetsCLI fingerprinting that surfaces undeclared open source
Analyze a binary without its sourceBinariesUpload a compiled artifact for decomposition · Enterprise
Analyze components from an existing SBOMSBOMsUpload a CycloneDX or SPDX document · Enterprise
Get broad, low-effort coverage to startQuick ImportConnect your VCS; FOSSA pulls and analyzes the code

Scan with the FOSSA CLI

The FOSSA CLI analyzes your build and uploads only dependency signatures, the most accurate and secure path, and the right choice whenever you can grant FOSSA a place in your build.

  • CLI: run fossa analyze against your build for full dependency analysis.
  • CI/CD scanning: run that analysis automatically on every build, with PR checks that gate merges.
  • Containers: scan Docker and OCI container images for license and vulnerability issues.
  • Snippets: detect open source code copied into your first-party source, and the obligations it carries.

Quick Import, broad coverage, fast

When you need coverage across many repositories with minimal setup, Quick Import connects GitHub, GitLab, Bitbucket, or Azure Repos and analyzes your repositories directly, wiring up webhooks and scheduled re-scans. It's the fastest way to get started and FOSSA never writes to your code, but because it analyzes source without running your build, its results are less complete than a CLI scan. Treat it as a quick start or a fallback for projects you can't put in CI, and move your important projects to the CLI when you can.

Behind a firewall? Broker imports repositories from Bitbucket Server, on-prem GitLab, or GitHub Enterprise without sharing source-code access.

Upload an artifact

When you have a built artifact but not its source, hand it to FOSSA directly:

  • Binaries: decompose pre-compiled binaries and archives to identify the open source inside. (Enterprise)
  • SBOMs: bring in an existing CycloneDX or SPDX SBOM and run compliance checks against its components. (Enterprise)

Configure and organize

Once a project is imported, you control how it's scanned: the build and analysis method, which targets are included, scan scheduling, and project-level settings. Use Release Groups to bundle related projects and revisions for shared reporting and policy enforcement.

From here, your data flows into Licenses, Vulnerabilities, Quality, and SBOM.

© 2026 FOSSA, Inc.support@fossa.com