LinuxCommandLibrary

fossa

Analyze software dependencies and licenses

TLDR

Initialize a .fossa.yml configuration file

$ fossa init
copy

Run a default project build
$ fossa build
copy

Analyze built dependencies
$ fossa analyze
copy

Generate reports
$ fossa report
copy

Test current revision against the FOSSA scan status and exit with errors if issues are found
$ fossa test
copy

SYNOPSIS

fossa <command> [<flags>] [<path>]

PARAMETERS

analyze
    Scan project for dependencies, licenses, and vulnerabilities

init
    Initialize Fossa configuration (.fossa.yml)

test
    Test project against Fossa policy, exits non-zero on failures

upload
    Upload scan results to Fossa API (requires --project & token)

--help -h
    Show help for command

--version
    Print Fossa CLI version

--log-level
    Set logging level (debug,info,warn,error)

--config
    Path to config file (.fossa.yml)

--project
    Project ID or locator for upload (format: org/repo:revision)

--token
    API token for authentication (from dashboard.fossa.io)

DESCRIPTION

Fossa is a powerful CLI tool for software supply chain security, open-source license compliance, and dependency management. It scans projects across 20+ languages and 50+ package managers, detecting direct and transitive dependencies, identifying licenses, vulnerabilities, and policy violations. Run fossa analyze to generate a detailed report in JSON format, including a Software Bill of Materials (SBOM).

Key capabilities include local analysis without internet (for basic scans), upload to Fossa's cloud for dashboards and team policies, and integration with CI/CD via exit codes. It uses modular 'fetchers' for ecosystems like npm, Maven, Go, Python, Rust, and more. Ideal for DevSecOps, it enforces policies on license types (e.g., block GPL), monetization risks, and CVEs. Free for open-source, with enterprise features.

Installation via brew, apt, or binaries; requires API key for uploads. Outputs help ensure regulatory compliance like EUCPL or corporate OSS policies.

CAVEATS

Not a standard distro package; install separately. Full features require Fossa account/API key. Large monorepos may need --allow-only-listed-deps. Network required for vuln/license data fetch unless cached.

SUPPORTED LANGUAGES

JavaScript/npm, Java/Maven/Gradle, Go modules, Python/pip/poetry, Rust/Cargo, PHP/Composer, Ruby/Bundler, .NET/NuGet, and many more via extensible fetchers.

CONFIG FILE

Uses .fossa.yml for server, analyze targets, policies. Example: specify deps, ignore paths, custom metadata.

HISTORY

Developed by FOSSA Inc. since 2017 as proprietary, open-sourced CLI in 2020 (GitHub: fossas/fossa-cli). Evolved for SBOM standards (CycloneDX, SPDX), now v1.5+ with improved fetchers and zero-config support. Widely used in Fortune 500 for OSS compliance.

SEE ALSO

npm(1), yarn(1), go(1), cargo(1), pip(1), mvn(1)

Copied to clipboard