Using fossabot
fossabot is an AI Agent for making strategic dependency updates and is capable of large complexity upgrades – the ones that require a senior engineer because they’re always an unexpected multi-hour research and coding task.
Connecting fossabot to GitHub
Navigating to https://bot.fossa.com will prompt you to install the GitHub application, if it's not already installed in your organization.
Engineers can view fossabot upgrade analysis and proposed Pull Requests directly in GitHub.
On a per-repository basis, you can configure whether analysis should be triggered automatically or wait for an engineer to request it. Manual analysis can be triggered by commenting @fossabot analyze on the Pull Request or using the UI to trigger analysis.
Connecting fossabot to GitLab
Navigating to https://bot.fossa.com will prompt you to use OAuth or an access token to connect to GitLab.
Engineers can view fossabot upgrade analysis and proposed Merge Requests directly in GitLab.
On a per-repository basis, you can configure whether analysis should be triggered automatically or wait for an engineer to request it. Manual analysis can be triggered by commenting /fossabot analyze on the Merge Request or using the UI to trigger analysis.
GitLab Access Token requirements
If using the legacy token scopes, fossabot requires: api, read_repository, write_repository
If you have access to more granular scopes, expand the follow categories and provide access.
Fine-grained Access Token Requirements
| Category | Scope | Permission Level |
|---|---|---|
| CI/CD | Job | Read, Run Job |
| CI/CD | Pipeline | Read |
| Repository | Branch | Read, Create, Delete |
| Repository | Code | Read |
| Repository | Commit | Read, Create |
| Repository | Merge Request | Read, Create, Update |
| Repository | Repository | Read |
| Repository | Repository Tag | Read |
| Repository | Tag | Read |
| Group | Group | Read |
| Project | Project | Read |
Using fossabot with Dependabot, Renovate or Snyk
fossabot works with existing dependency update tools you might already have: Dependabot, Renovate and Snyk. When Pull Requests from these tools are detected, fossabot can automatically analyze the proposed upgrade for breaking changes and determine if your application is impacted by the changes.
fossabot analysis of a GitHub pull request
Using fossabot to Propose Upgrades
fossabot can propose its own intelligent updates, which allows you to easily catch up on your dependency upgrade backlog. By default, these Pull Requests will group together a set of dependencies that should be upgraded together, without any configuration required.
fossabot pull request with intelligent grouping
Using fossabot to Fix Breaking Changes
When fossabot discovers issues in your code, caused by breaking changes, a fix can be attempted with @fossabot fix (or /fossabot fix on GitLab). Context discovered during the analysis is used to fix as many issues as possible, including using Continuous Integration failures as a guide.
A prompt designed for AI coding tools is also generated, in case you want to fix the issue locally yourself.
fossabot committed a fix to the Pull Request
Updated 15 days ago