Update a project's settings and configuration.

put

https://app.fossa.com/api/projects/{locator}

Update a project's settings and configuration. This endpoint allows updating a wide variety of project properties including metadata, policy assignments, scanning settings, integration configurations, and more.

Permission Requirements

Most fields require Edit permission on the project. The following fields require special permissions:

public: Requires MakePublic permission
policyId, securityPolicyId, qualityPolicyId, sbomPolicyId, sbomAnalysisEnabled: Require SetPolicy permission for the respective policy type

Special Behaviors

Branch Management

tracking_branches and hidden_branches are mutually exclusive. Adding a branch to one will automatically remove it from the other.
Only branches can be added to these arrays; tags are filtered out automatically.

Policy Changes

When policies or scanning settings change, the project will be automatically rescanned if the last analyzed revision is in a steady state.

Feature Flags

securityIssueScanningEnabled and qualityIssueScanningEnabled can only be modified if the organization has the respective features enabled.

Issue Tracker Fields

When updating issueTrackerCustomFields, boolean values in the isRequired field may be stringified and will be automatically converted.
Custom field configurations are validated against Jira field requirements.

Notifications

Empty notification objects are automatically filtered out.
Notification changes are processed asynchronously.

Path Params

locator

string

required

The URL-encoded locator of the project (e.g., "git+github.com/owner/repo")

Body Params

Project fields to update. All fields are optional. Only the fields provided will be updated; omitted fields remain unchanged. Note: The endpoint filters out any fields not in the allowed list automatically.

title

string

length ≥ 1

Display name of the project

description

string | null

Detailed description of the project

url

string | null

Project homepage URL

notes

string | null

Internal notes about the project

public

boolean | null

Whether the project is publicly accessible. Requires MakePublic permission. Public projects can be viewed by anyone with the link.

scm_url

string | null

Source control management URL for the project repository

manual_scm_url

boolean

Whether the SCM URL was manually provided by the user

vcs_host

string | null

enum

VCS hosting provider

Allowed:

default_branch

string

The default branch to analyze for this project

tracking_branches

array of strings | null

Branches to actively track and analyze. Tags are automatically filtered out. Branches in this list are automatically removed from hidden_branches.

tracking_branches

hidden_branches

array of strings | null

Branches to hide from the UI. Tags are automatically filtered out. Branches in this list are automatically removed from tracking_branches.

hidden_branches

policyId

integer | null

ID of the licensing policy to apply to this project. Requires SetPolicy permission for LICENSING policy type.

securityPolicyId

integer | null

ID of the security policy to apply to this project. Requires SetPolicy permission for SECURITY policy type.

qualityPolicyId

integer | null

ID of the quality policy to apply to this project. Requires SetPolicy permission for QUALITY policy type.

sbomPolicyId

integer | null

ID of the SBOM policy to apply to this project. Requires SetPolicy permission for SBOM policy type.

policies_approve_multilicense

boolean

Whether to automatically approve dependencies with multiple licenses if any license is approved

licensingIssueScanningEnabled

boolean

Enable or disable licensing issue scanning for this project

securityIssueScanningEnabled

boolean

Enable or disable security vulnerability scanning for this project. Can only be modified if the organization has security features enabled.

qualityIssueScanningEnabled

boolean

Enable or disable quality issue scanning for this project. Can only be modified if the organization has quality features enabled.

sbomAnalysisEnabled

boolean

Enable or disable SBOM policy analysis for this project. Requires SetPolicy permission for SBOM policy type.

snippetLicensingIssueScanningEnabled

boolean

Enable or disable snippet licensing issue scanning for this project

snippetSecurityIssueScanningEnabled

boolean

Enable or disable snippet security issue scanning for this project

vendoredLicensingIssueScanningEnabled

boolean

Enable or disable licensing issue scanning for vendored dependencies in this project

vendoredSecurityIssueScanningEnabled

boolean

Enable or disable security issue scanning for vendored dependencies in this project

vendoredQualityIssueScanningEnabled

boolean

Enable or disable quality issue scanning for vendored dependencies in this project

licensingStatusCheckEnabled

boolean

Enable or disable licensing issue CI/CD status checks

securityStatusCheckEnabled

boolean

Enable or disable security issue CI/CD status checks

qualityStatusCheckEnabled

boolean

Enable or disable quality issue CI/CD status checks

excludeBaseLayerIssuesLicensing

boolean

Exclude licensing issues found in container base layers

excludeBaseLayerIssuesSecurity

boolean

Exclude security issues found in container base layers

excludeBaseLayerIssuesQuality

boolean

Exclude quality issues found in container base layers

integrationhook_timeout

integer

≥ 0

Timeout in seconds for integration hooks (e.g., GitHub status checks)

integrationhook_fail_state

string

enum

Status to report when a hook times out or fails

Allowed:

issue_tracker_url

string | null

URL of the external issue tracker (e.g., Jira, GitHub Issues)

issue_tracker_type

string | null

enum

Type of issue tracker

Allowed:

issueTrackerLabels

array of strings | null

Labels to automatically apply to issues created in the tracker

issueTrackerLabels

issueTrackerIssueTypes

array of strings | null

Jira issue types available for this project

issueTrackerIssueTypes

issueTrackerProjectIds

array of strings | null

Jira project IDs associated with this project

issueTrackerProjectIds

issueTrackerCustomFields

object | null

Custom Jira fields configuration. The object keys are Jira field IDs, and values contain field metadata. The isRequired field accepts both boolean and stringified boolean values ("true"/"false").

useGlobalTrackerSettings

boolean | null

Whether to use organization-level issue tracker settings instead of project-specific settings

transitive_excludes

array of strings | null

List of dependency locators to exclude from analysis. Removing items from this array is logged as "un-ignoring" dependencies. Format: "fetcher+package$revision" (e.g., "npm+lodash$4.17.21")

transitive_excludes

reportCustomText

string | null

Custom text to include in attribution reports for this project

bom_column_settings

array of strings | null

Columns to display in the Bill of Materials (BOM) report. Available options: All, Name, Version, Type, License, DirectLicense, DirectLicenseOrigin, DeepLicense, DeepLicenseOrigin, Description, Homepage, PrimaryLanguage, SourceLocation, ReleasePublishDate, OriginId, Tags, ComponentComment, Reachability

bom_column_settings

bom_public_id

string | null

Public identifier for accessing the project's attribution report

labels

array of integers

Array of label IDs to associate with this project. This replaces all existing labels. Labels must exist in the organization before being assigned.

labels

filters

object | null

Issue filter IDs to apply for each issue category. This configures which saved filters are used when viewing issues for this project. Set to null or omit to clear filters.

notifications

array of objects | null

Array of notification configurations for this project. Empty notification objects are automatically filtered out. Changes are processed asynchronously alongside the main update.

notifications

Responses

200Project updated successfully. Returns the complete project object with all updated fields plus computed metadata including recent revisions, notifications, references, contributor count, and dynamically populated fields.

400Bad Request - Invalid input or validation error

401Unauthorized

403Forbidden - Insufficient permissions

404Not Found - Project does not exist

500Server Error