Using FOSSA Compliance

The first time you run a report, FOSSA analyzes every dependency. FOSSA scans every line of code in each direct and deep dependency to generate compliance and security issues.

Once scanned, you'll see 4 major sections of the Project:

  1. Issues - License violations, compliance alerts, and vulnerabilities found in the project
  2. Dependencies - A full list of components & licenses discovered during the analysis
  3. Licenses - All licenses discovered in your code
  4. Reports - Tools to generate attribution reports, SBOMs, and compliance documentation

Before you proceed, it's a good idea to sanity-check your dependency list. Navigate to the Dependencies tab to review what FOSSA found.

On your first scan, it may surprise you how many 3rd-party components you're actually using even if your application is relatively small. There should only be dependencies that are included in your production build. If you're seeing many test or documentation dependencies, you may need to ensure FOSSA is running against a production build or your .fossa.yml is configured.

What’s Next

Follow these 3 steps to get value from your first report: