Quick Start (Repository Scanning)

From Github.com, Gitlab.com, or Bitbucket.com

🚧

Recommended for Non-Technical Users Only

This path is recommended for non-technical users or people simply testing the tool.

If you are a developer and are willing to do upfront configuration, we recommend taking a look at our Local Plugin, which is more accurate, secure, and performant for continual analysis.

FOSSA can import code from cloud-based Version Control System (VCS) providers like GitHub.com. By choosing this import method, FOSSA will look at your code to "guess" the dependencies brought in. While less accurate, this method will get to results with minimal configuration and automatically set up deep integrations like webhooks, scheduled updates, and publish code/review pull request statuses.

Pick this method if:

  • You want a quick & dirty start to test integrations
  • You want to bulk-audit hundreds of repositories
  • You have numerous but relatively simple or small codebases
  • You are not a programmer and cannot access development or CI environments

Connecting to GitHub.com, Bitbucket.com, or GitLab.com

To import from one of our supported cloud VCS providers, connect your service account (i.e. your GitHub, Bitbucket, or GitLab account) to your FOSSA account from the Project Imports Page. If you signed in to FOSSA using a cloud VCS provider account, it will already be connected.

🚧

GitHub Permissions

You might notice that our GitHub integration asks for write permissions on private repositories. This is due to a limitation with GitHub, which does not provide a read-only permission scope for private repositories (see dear-github/dear-github#113). FOSSA will never write to your repositories for any reason.

If you cannot give code access, Local Integration method will be a better fit, as it doesn't require any code access from FOSSA.

After connecting your VCS provider account, you should now be able to see your repositories. To import, simply select them and click the "Import" button on the top right:

Searching & Selecting Repositories

FOSSA will automatically import teams / folders from your VCS provider. If you can’t find your repository, try clicking on the team selector and switching groups.

You can also use the search bar to find projects across teams:

If you still can’t find your repository, then it could be that you have not granted FOSSA access to your team or sub-group in your VCS provider. Refer to your VCS provider’s documentation:

Customizing the Default Branch

FOSSA will automatically pick a default branch (usually "master") to regularly scan for dependencies. You can configure this using the branch selector:

Bulk Import

👍

Premium Feature

This feature is available in any upgraded subscription of FOSSA. Contact [email protected] for more details.

You can also bulk-import the entire contents of a team, organization, or the authenticated user (most likely you) using our "Import All" feature.

Getting a Badge Pull Request (Github.com only)

If you enable the option "Submit badge PRs after import (public Github READMEs only)" then FOSSA will automatically send you a Pull Request to track your license scan status in your README, as soon as FOSSA imports the project. See an example on Webpack’s README:

As well as adding a badge in the top of the README beneath the title (where badges on GitHub READMEs are normally placed), we’ll also attach a badge at the bottom of the README which gives more information about the details of FOSSA’s analysis. You don't need to update this badge when your project adds dependencies, and you won't get a new pull request with an updated badge; FOSSA will automatically update it when users load the README, and it will stay up-to-date with your default branch.

This import method automatically enrolls your project in Repository Scanning. Click the link to learn more. You can transition to CI/CD Scanning at any time when you need more fine-grained control over FOSSA's dependency results.