Scala

Analyze Scala projects with FOSSA via sbt, through Quick Import or the FOSSA CLI, including private Maven registries.

3 min readUpdated Jul 9, 2026

Overview

FOSSA supports Scala projects built with sbt (the Scala Build Tool). You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI for complex builds.

Tool support

ToolQuick Import (app.fossa.com)CLI (fossa-cli)
sbt (Scala Build Tool)build.sbtbuild.sbt

How Quick Import works

After importing Scala code, FOSSA attempts to get results out of the box by incrementally running your build and statically resolving the dependency signatures it produces. This method supports a wide variety of build states, but more complicated builds often require configuration or inlined settings.

Note

Because sbt builds are generally complicated, it is both impossible to generically build codebases and to get accurate results from pure static analysis of build.sbt files. For larger builds that require significant configuration, we recommend CI/CD Scanning with the FOSSA CLI for fast and accurate results.

Analyzing with the CLI

For complex Scala builds, use the FOSSA CLI to upload results from an existing sbt build in CI or on your local development machine.

Install the latest release of fossa-cli:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Then run fossa analyze from your repository's root directory. While the gradle and maven strategies offer some Scala coverage, Scala projects overwhelmingly use sbt. See the sbt strategy reference for project discovery, the supported tactics, and configuration details.

Analysis strategies

StrategyDirect DepsTransitive DepsEdgesContainer Scanning
sbt

Authenticating to private registries

Scala packages are resolved from the same Maven repositories as the rest of the Java ecosystem, so FOSSA can fetch and resolve sbt dependencies from private registries like Artifactory, Nexus, or any custom public Maven registry.

  1. 1

    Open Java language settings

    Go to Account Settings → Languages → Java (https://app.fossa.com/account/settings/languages/java).

  2. 2

    Add your registry

    To add a new public registry, add an entry under Repositories, and FOSSA will begin checking it (in order) for packages your projects bring in. To add an authenticated registry, add matching entries to Repositories and Servers with a corresponding Id, and include your credentials under the Servers entry.

Tip

If you know which registries you want FOSSA to prefer, re-order them in your Java Language Settings. FOSSA checks registries in order, so placing the ones you know will succeed first lets it resolve dependencies without cycling through the rest.

Package data

FOSSA parses data from all package metadata and scans all code provided in an artifact or its associated code archives. If references to license webpages are found, FOSSA crawls the web to find licensing information. When no source code is included in an artifact, FOSSA attempts to resolve it to a known codebase the artifact was built from and performs a full code audit.

In the Java ecosystem it is common for license data to be stripped when artifacts are published. In these cases, license data can be regenerated from the FOSSA registry by enriching build artifacts with data from associated VCSs, parent artifacts, and more.

Warning

FOSSA scans sbt dependencies that are published in the Maven-compatible file layout (the default). Artifacts published in the Ivy file layout are not yet supported.

© 2026 FOSSA, Inc.support@fossa.com