FOSSA is an enterprise Software Composition Analysis platform known for its comprehensive license compliance capabilities.
Used by companies like Uber, Verizon, and PwC.
What is FOSSA?
FOSSA provides open-source license compliance and security analysis for software development teams.
The platform is particularly strong in license management, with a policy engine designed in collaboration with Heather Meeker, one of the leading open-source licensing attorneys.
Key Features
License Compliance
FOSSA excels at license management:
- Automatic license detection
- License compatibility analysis
- Policy enforcement
- Attribution report generation
Vulnerability Scanning
Security analysis capabilities:
- Known vulnerability detection (CVE)
- Dependency tree analysis
- Remediation guidance
- Severity prioritization
SBOM Generation
Generate Software Bill of Materials:
- SPDX format
- CycloneDX format
- Custom formats
- Continuous SBOM updates
Policy Automation
Automate compliance workflows:
- Custom policy rules
- Automatic approvals/rejections
- Exception handling
- Audit trails
How It Works
FOSSA analyzes your codebase and dependencies:
# Install FOSSA CLI
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
# Analyze project
fossa analyze
# Run tests
fossa test
Integration
CI/CD Integration
# GitHub Actions
- name: FOSSA Scan
uses: fossas/fossa-action@main
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
Supported Ecosystems
FOSSA supports 20+ package managers:
- JavaScript: npm, yarn, pnpm
- Java: Maven, Gradle
- Python: pip, poetry, conda
- Go: Go modules
- Ruby: Bundler
- And more
Enterprise Customers
FOSSA is used by major enterprises:
- Uber
- Verizon
- PwC
- Atlassian
- Elastic
When to Use FOSSA
FOSSA is ideal for organizations that:
- Need comprehensive license compliance
- Have complex open-source policies
- Require enterprise-grade SBOM generation
- Want policy automation for compliance