fossa

Initialize a .fossa.yml configuration file

$ fossa init

$ fossa build

$ fossa analyze

$ fossa report

$ fossa test

fossa command [options] [arguments]

Common commands:
fossa analyze [options]
fossa init [options]
fossa report [options]

analyze
    Scans the current project or specified path to identify dependencies and their licenses. This is the core command for initiating a scan.

init
    Initializes a fossa project configuration in the current directory. This command sets up the necessary files for fossa to operate.

test
    Executes compliance tests against your project's dependencies based on configured policies, often used in CI/CD pipelines to enforce license compliance.

report
    Generates a compliance report for a specified project. Various output formats (e.g., SPDX, JSON, HTML) are supported.

upload
    Uploads pre-generated scan results (e.g., SBOMs) to the FOSSA platform for analysis and reporting.

--organization ID
    Specifies the organization ID to associate the scan or action with. Required for multi-organization setups.

--project ID
    Specifies the project ID within the organization. If not provided, fossa attempts to infer it from the Git remote or configuration.

--revision name
    Sets the specific revision (e.g., Git commit hash, branch name) for the scan or report.

--output format
    Defines the output format for commands like report (e.g., json, spdx, html).

--config path
    Specifies an alternative path to the fossa configuration file (typically .fossa.yml).

--debug
    Enables verbose debugging output for troubleshooting.

The fossa command-line interface (CLI) provides a powerful suite of tools for software composition analysis (SCA). It helps organizations understand, manage, and comply with open-source software licenses across their codebases. fossa works by scanning your projects to identify all direct and transitive dependencies, their associated licenses, and potential security vulnerabilities. It then builds a Software Bill of Materials (SBOM) and generates reports that can be used for license compliance, risk management, and due diligence. Designed for integration into CI/CD pipelines, fossa enables automated compliance checks and policy enforcement, ensuring that only approved open-source components are used. Its capabilities are crucial for developers, legal teams, and compliance officers looking to maintain a transparent and compliant open-source posture.

The fossa CLI tool typically requires an API key or authentication with the FOSSA SaaS platform for full functionality, as it uploads scan data and retrieves policies from the cloud service. It is not a standard, pre-installed Linux utility and must be installed separately. Performance can vary significantly based on project size and complexity, potentially consuming considerable CPU and memory resources for large codebases. Its accuracy depends on the quality of its internal knowledge base and the completeness of the project's dependency resolution.

The fossa CLI is generally installed via a package manager (e.g., brew on macOS, or curl script for Linux) or downloaded directly as a binary. It's not part of standard Linux distributions. Users typically need to configure their environment with an API key, often via an environment variable (FOSSA_API_KEY) or a configuration file.

fossa is commonly integrated into CI/CD pipelines (e.g., Jenkins, GitLab CI, GitHub Actions) to run automated scans on every commit or pull request. This ensures continuous compliance and early detection of license conflicts or vulnerabilities. The test command is particularly useful in this context, allowing builds to fail if policy violations are detected.

FOSSA was founded by Alex Solomon with a vision to automate open-source compliance and security. It emerged as a leading solution in the Software Composition Analysis (SCA) space, particularly gaining traction for its robust policy engine, deep dependency scanning capabilities, and strong integration with developer workflows and CI/CD pipelines. Its development has focused on providing comprehensive, automated compliance and security insights for enterprises leveraging open-source software, addressing the growing complexities of license obligations and vulnerability management.

git(1) (for version control integration), npm(1) (for Node.js package management), pip(1) (for Python package management), WhiteSource (SCA tool), Black Duck (SCA tool), Snyk (SCA tool), SPDX (Software Package Data Exchange standard), CycloneDX (SBOM standard)