Quality Scanning

How FOSSA's quality scanner evaluates your dependencies and raises quality issues.

1 min readUpdated Jul 9, 2026

Enterprise feature

Available on: Free (Outdated Packages Only), Business, Enterprise.

Overview

Every time FOSSA analyzes a project, the quality scanner evaluates each direct and transitive dependency against your quality policy and FOSSA's risk-intelligence signals, then raises a quality issue for anything that fails.

What the quality scanner checks

CheckSource
Outdated versionsStale Package Prevention rules in your quality policy (semantic-version distance)
Blocked packagesPackages your organization has deny-listed
Risk-intelligence signalsAbandonware, empty packages, and native code detected in the package itself

See Understanding Quality Issues for a breakdown of each.

Enabling the quality scanner

The quality scanner is configured like the licensing and security scanners. Organization-level defaults live at Organization Settings > Projects > Issues and apply to all new projects; settings can be overridden per project at Project Settings > Issue Policies.

For each scanner you control whether issue detection is on, which policy applies, and whether issues fail CI/CD checks. See Issue Scanners for the full set of controls.

Gating CI/CD

When Fail CI/CD checks is enabled for the quality scanner, FOSSA fails the project's status check if quality issues matching the CI/CD filter are found. Blocked packages additionally fail fossa test, keeping deny-listed dependencies out of production builds.

What's next

© 2026 FOSSA, Inc.support@fossa.com