Project Setup
Get your code into FOSSA — import projects from source hosts, the CLI, or CI, then configure how they're scanned and organized.
Overview
Before FOSSA can flag a license obligation or a vulnerability, it needs to know what's actually in your software. Project setup is how you get that dependency data in.
FOSSA meets your code where it lives, but the methods aren't equal. Running the CLI in your build sees the same dependency graph your package manager resolves (including transitive and build-time dependencies) so it's the most accurate and complete picture FOSSA can get. Wiring that into CI/CD keeps every project current automatically and gates risky changes before they merge. That's the path we recommend for any project you care about.
Tip
Run fossa analyze as a step in your CI/CD pipeline. You get the most accurate results, automatic re-scans on every build, and PR checks that catch new risk before it merges, without granting FOSSA access to your source.
CLI
Analyze your code locally with the FOSSA CLI and upload the results, the most accurate and secure way to integrate.
CI/CD Scanning
Provide dependency data from your existing CI/CD environment for faster, more accurate FOSSA scans.
Pull Request Checks
Block PRs that introduce new license compliance or security violations using FOSSA GitHub status checks.
Badge Pull Requests
Automatically add a FOSSA license-scan status badge to your GitHub README when you import a project.
Containers
Scan Docker and OCI container images for open source license and vulnerability issues.
Snippets
EnterpriseFind open source code copied into your codebase without being declared as a dependency.
Quick Import
Connect GitHub, GitLab, Bitbucket, or Azure Repos and scan hundreds of repositories in one click.
Broker
Import internal and firewalled projects into FOSSA with Broker, without sharing source-code access.
Binaries
EnterpriseDecompose pre-compiled binaries and archives to identify open source components without source-code access.
SBOM Import
Import a CycloneDX or SPDX SBOM to run license and security compliance checks against its listed components.
Dependencies
Inspect every dependency FOSSA detected, metadata, license status, filter options, custom licenses, and notice files.
Package Inventory
EnterpriseSearch, filter, and manage every package detected across all of your organization's projects from one place.
Project Settings
Configure the title, branches, ignored dependencies, labels, VCS host, and visibility for an individual FOSSA project.
Ignore a Dependency
Exclude a specific package from your project's issue tracking and reporting.
Project Labels
Create and apply labels to organize projects and filter the dashboard by business context.
Automatic Updates
Keep FOSSA projects continuously scanned, re-analyze on every new revision and surface new license and security issues automatically.
Archive Upload
EnterpriseHow to upload an archive directly to FOSSA and how it's analyzed, for code that isn't pulled from a package registry.
Scan Frequency
Schedule recurring scans so FOSSA picks up newly disclosed vulnerabilities and license changes even when your code hasn't changed.
Notifications
Configure who gets notified and through which channels when FOSSA detects new issues in your projects.
Issue Scanners
Configure which issue scanners are enabled for your projects and how they gate CI/CD builds.
Privacy Settings
Control whether a FOSSA project is publicly accessible to anyone with the link or restricted to authenticated members.
Build History and Rebuilding
View past scans for a project and trigger a rebuild or policy scan from the UI.
Mediated Dependencies
How FOSSA handles transitive dependencies whose version is resolved by the package manager when multiple constraints conflict.
Choose your import method
| If you want to… | Use | How it works |
|---|---|---|
| Get the most accurate results, or avoid giving FOSSA code access | CLI | Analyze locally or in CI; upload only dependency signatures |
| Keep every project current and gate risky changes | CI/CD scanning | Run the CLI in your pipeline with PR checks |
| Analyze container images | Containers | fossa container analyze on Docker or OCI images |
| Find open source copied into your own code | Snippets | CLI fingerprinting that surfaces undeclared open source |
| Analyze a binary without its source | Binaries | Upload a compiled artifact for decomposition · Enterprise |
| Analyze components from an existing SBOM | SBOMs | Upload a CycloneDX or SPDX document · Enterprise |
| Get broad, low-effort coverage to start | Quick Import | Connect your VCS; FOSSA pulls and analyzes the code |
Scan with the FOSSA CLI
The FOSSA CLI analyzes your build and uploads only dependency signatures, the most accurate and secure path, and the right choice whenever you can grant FOSSA a place in your build.
- CLI: run
fossa analyzeagainst your build for full dependency analysis. - CI/CD scanning: run that analysis automatically on every build, with PR checks that gate merges.
- Containers: scan Docker and OCI container images for license and vulnerability issues.
- Snippets: detect open source code copied into your first-party source, and the obligations it carries.
Quick Import, broad coverage, fast
When you need coverage across many repositories with minimal setup, Quick Import connects GitHub, GitLab, Bitbucket, or Azure Repos and analyzes your repositories directly, wiring up webhooks and scheduled re-scans. It's the fastest way to get started and FOSSA never writes to your code, but because it analyzes source without running your build, its results are less complete than a CLI scan. Treat it as a quick start or a fallback for projects you can't put in CI, and move your important projects to the CLI when you can.
Behind a firewall? Broker imports repositories from Bitbucket Server, on-prem GitLab, or GitHub Enterprise without sharing source-code access.
Upload an artifact
When you have a built artifact but not its source, hand it to FOSSA directly:
- Binaries: decompose pre-compiled binaries and archives to identify the open source inside. (Enterprise)
- SBOMs: bring in an existing CycloneDX or SPDX SBOM and run compliance checks against its components. (Enterprise)
Configure and organize
Once a project is imported, you control how it's scanned: the build and analysis method, which targets are included, scan scheduling, and project-level settings. Use Release Groups to bundle related projects and revisions for shared reporting and policy enforcement.
From here, your data flows into Licenses, Vulnerabilities, Quality, and SBOM.