fossa-cli is a zero-configuration polyglot dependency analysis tool. You can point fossa CLI at any codebase or build, and it will automatically detect dependencies being used by your project.
fossa-cli currently supports automatic dependency analysis for many different build tools and languages. It also has limited support for vendored dependency detection, container scanning, and system dependency detection. These features are still a work in progress. Our goal is to make the FOSSA CLI a universal tool for dependency analysis.
fossa-cli integrates with FOSSA for dependency analysis, license scanning, vulnerability scanning, attribution report generation, and more.
FOSSA CLI provides an install script that downloads the latest release from GitHub Releases for your computer's architecture. You can see the source code and flags at install-latest.sh for Mac and Linux or install-latest.ps1 for Windows.
NOTE: You may need to add the downloaded executable to your $PATH. The installer script will output the installed path of the executable. You can also use -b to pick the installation directory when using install-latest.sh (see the install-latest.sh source code for details).
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashmacOS with brew
brew update # Fetch the newest version of Homebrew and all formulae
brew install --cask fossaThe
FOSSA CLIversion in the brew cask is updated to the latest version every 3 hours.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))Alternatively, install using Scoop:
scoop install fossa
Please refer to detailed walkthrough Installing FOSSA CLI, for installing FOSSA CLI 1.x and using GitHub Releases to install FOSSA CLI manually.
# Download FOSSA.
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
# Set your API key. Get this from the FOSSA web application.
export FOSSA_API_KEY=XXXX
# Run an analysis in your project's directory.
cd $MY_PROJECT_DIR
fossa analyze# Download FOSSA.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))
# Set your API key. Get this from the FOSSA web application.
$env:FOSSA_API_KEY=XXXX
# Run an analysis in your project's directory.
cd $MY_PROJECT_DIR
fossa analyzeFollow the installation instructions above to install the FOSSA CLI. Once installed, you should have a new binary named fossa available on your $PATH.
To get started with integrating your project into FOSSA, you'll need to generate an API key. You'll get this API key from the FOSSA web application (app.fossa.com).
Once you have your API key:
export FOSSA_API_KEY=XXXX # Use your API key here.Now we can run an analysis. To run an analysis, all you need to do is navigate to your project's directory and run fossa analyze.
NOTE: While fossa will try its best to report available results for any kind of project, you'll get the best results by running in a directory with a working project build. A working build lets us integrate directly with your build tool to identify dependencies, instead of trying to infer dependencies from your source code.
$ cd $MY_PROJECT_DIR # Use your actual project location here.
$ fossa analyze
[ INFO] Using project name: `https://github.com/fossas/fossa-cli`
[ INFO] Using revision: `09ca72e398bb32747b27c0f43731678fa42c3c26`
[ INFO] Using branch: `No branch (detached HEAD)`
[ INFO] ============================================================
View FOSSA Report:
https://app.fossa.com/projects/custom+1%2fgithub.com%2ffossas%2ffossa-cli/refs/branch/master/09ca72e398bb32747b27c0f43731678fa42c3c26
============================================================Once an analysis has been uploaded, you can view your results in the FOSSA web application. You can see your analysis by using the link provided as output by fossa analyze, or by navigating to your project and revision in the FOSSA web application.
Now that your analysis is complete, there are a couple things you might want to do after an initial integration:
-
Double-check your results. Some analysis methods may produce partial or unexpected results depending on what information was available when you ran the analysis. If something seems wrong, our debugging guide can help you diagnose and debug your integration.
-
Scan for issues and generate a compliance report. Once your analysis is ready, we'll automatically queue an issue scan and report the results in the web application. Once an issue scan is complete, you can also generate a report from the web application.
-
Set up FOSSA in your CI. You can also use your issue scan results as inputs to CI scripts. For GitHub repositories, you can use FOSSA's native GitHub integration to report a status check on your PRs. For other CI integrations, you can also use
fossa testto get programmatic issue status in CI.
For most users, the FOSSA CLI will work out-of-the-box without any configuration. Just get an API key, run fossa analyze, and view your results in the FOSSA web application.
Users who need advanced customization or features should see the User Manual. Some common topics of interest include:
- Debugging your integration
- Specifying vendored dependencies
- Adding manual dependencies
- Supported languages
If you've found a bug or need support, the best way to get support is via the FOSSA support portal.
Make sure to include reproduction steps and any relevant project files (e.g. pom.xmls, package.jsons, etc.). Including the output from fossa analyze --debug in the email as well as any relevant fossa files (fossa-deps.json, .fossa.yml) will help expedite a solution.
We'll try to respond to issues opened in this repository on a best-effort basis, but we mostly provide support via the FOSSA support portal.
If you're interested in contributing, check out our contributor documentation. PRs are welcome!