Cloudflare Cowboy
← All articles

Knowledge base

How to implement FOSSA: a setup and CI-gating checklist

Standing up software composition analysis is less about the scan and more about the gate. This walks the full path on a real repository: connect, read the first scan, set policy, and wire CI so a bad dependency cannot be merged. Every step here was run on this site.

9 min read · Updated June 28, 2026

Who this is for

This is a hands-on implementation guide, not a sales page. It follows the path I took to put this site through FOSSA: a real repository, connected through GitHub, scanned, and gated. If you already understand software composition analysis and just want the operational steps plus the parts that are easy to miss in the UI, start here.

What you will have at the end

A connected repository, a license and security policy that matches how your team actually ships, and a CI check that blocks a pull request when it introduces a banned license or a known vulnerability. The full checklist is at the bottom.

Prerequisites

Three things before you start:

  • A FOSSA account with permission to import projects and edit organization settings.
  • Access to the repository you want to scan, on a supported host (GitHub, GitLab, or Bitbucket). This guide uses GitHub.
  • Admin rights on the GitHub repository. The final enforcement step is a GitHub branch-protection setting, not a FOSSA one, and only a repo or org admin can change it. This is the single most common thing teams discover too late.

Connect the repository

FOSSA imports your project straight from the version-control host, so it scans the real build graph rather than a manifest you upload. Go to Quick Import at app.fossa.com/projects/import/cloud and pick one of two GitHub integrations:

  • GitHub OAuth: broader permissions, including webhooks, so scans can trigger automatically on push and pull request. The simplest path to working status checks.
  • GitHub App: read-only on code and metadata, with per-repository scope. More restrictive and better for security-conscious orgs, with slightly more setup.

Authorize, choose which repositories to import (you can filter by public, private, or all, and decide whether to include forks), and FOSSA scans the default branch. No API key lands in your code, and a private repo stays private. FOSSA calls this an autobuild project: it resolves the dependency graph itself, which is why a five-dependency site can surface as several hundred packages.

Permission gotcha

For OAuth on an organization repo, your org may have to approve the FOSSA application under its OAuth application policy. If the import page does not show a green check next to your org, an org admin must grant access before the import will work.

Read the first scan

The first scan gives you three things worth understanding before you touch policy.

Every project and every dependency is addressed by a locator in the form fetcher+package$revision. This site imports as git+github.com/MultiOriginPartners/cloudflare-cowboy, and a specific commit appends its revision after the $. It is how FOSSA identifies the same component across thousands of projects.

Findings split into three pillars, each with its own tab on the Issue Overview page:

  • Licensing: policy conflicts, policy flags, and unlicensed dependencies. On this site, 14 flagged license issues, mostly weak copyleft (LGPL-3.0 inside the sharp image library, MPL-2.0 in lightningcss) sitting three levels deep in the tree.
  • Security: known vulnerabilities, ranked by severity. This site had 5, all in one direct dependency, the Astro framework.
  • Quality: outdated or blocked dependencies and other operational risk. 5 here.

Each issue also carries a dependency depth. Depth 1 means the problem is in something you chose directly and can fix yourself; a deep transitive issue you usually fix by upgrading the parent that pulls it in. The Astro vulnerabilities were depth 1, which is why they were a quick win.

Why the split matters

The three pillars are not cosmetic. Each is enabled and gated independently, so you can block merges on vulnerabilities while only warning on license flags during rollout. That independence is the whole reason the next two steps are separate.

Set policy

Policy is where FOSSA stops being a scanner and starts being a control. You set it per project under Project Settings, Policies, or organization-wide so new projects inherit it.

  • License policy: allow permissive licenses, flag or deny copyleft, and ban specific licenses outright (a "no AGPL" rule is the classic example). A flagged license becomes a policy-flag issue, exactly the 14 this site shows.
  • Quality policy: deny-list packages, allow-list trusted ones, and use stale-package prevention to flag dependencies that have fallen too far behind.

At the organization level each settings group (Security, Licensing, Quality) offers Save or Propagate: save applies to one project, propagate pushes the policy down to all of them. Set policy once at the org level and you are not re-configuring every repository by hand.

Wire the CI gate (the part people get half-right)

Enforcement is split across two systems, and that is exactly where it goes wrong. Connecting FOSSA does not block any merges by itself. It takes two layers.

Layer 1, FOSSA reports. For a GitHub project, enable status checks by following the prompt on the Project Summary or Project Settings page (organization-wide, it lives under Organization Settings, Projects, GitHub Status Checks). Then, in Project Settings, Policies, enable the scan type and set the failure condition: "Fail CI/CD checks if issues matching this filter exist." Now FOSSA posts a pass or fail check onto every pull request. In the project API these appear as securityStatusCheckEnabled, licensingStatusCheckEnabled, and qualityStatusCheckEnabled set to true.

Layer 2, GitHub enforces. A red check on a pull request is just a label. On its own it does not stop anyone clicking Merge. To make it a wall, a repo admin opens GitHub, Settings, Branches, Branch protection (or a Ruleset), turns on "Require status checks to pass before merging," and marks the FOSSA checks as Required. Only then is the Merge button disabled until the checks are green.

The one thing to remember

FOSSA reports the result; GitHub enforces it. The status-check toggles in FOSSA make the check appear. Marking that check Required in GitHub branch protection is what actually blocks the merge. Skip the GitHub side and you get warnings, not a gate.

StepSystemEffect
Enable scan type and failure filterFOSSA (Project Policies)Decides pass vs fail
Enable GitHub status checksFOSSA (Project Settings)Posts the check to the PR
Require status checks to passGitHub (Branch protection)Blocks the merge

A useful rollout: turn the checks on in warning mode first (reported but not required), clean up the existing backlog, then flip them to Required once a green build is normal. Going straight to blocking on a noisy first scan stalls everyone, which is the fastest way to get the tool turned back off.

The CLI path

The GitHub integration is the no-code path. For a monorepo, an unsupported host, or a pipeline you want full control over, the open-source fossa-cli does the same job from any CI runner. The pattern is two commands:

# 1. resolve dependencies and upload the scan
fossa analyze

# 2. fail the build if the latest scan has policy or vulnerability issues
fossa test

fossa test is the gate in CLI form: it exits 1 and prints the issues if any exist, and exits 0 when the project is clean, so any CI system can stop the pipeline on a non-zero exit. To gate only on the new problems a change introduces rather than the whole backlog, compare against a known-good revision:

fossa test --diff <revision>

The same CLI also produces a regulator-ready SBOM from the latest scan, in the format a customer asks for, which ties directly back to the SBOM work on this site:

fossa report attribution --format cyclonedx-json

Which path?

GitHub integration and CLI are not exclusive. Most teams use the integration for the pull-request gate and the CLI in CI for SBOM and attribution exports. The CLI reads a FOSSA_API_KEY from the runner environment, never committed to the repo.

Remediate the backlog

A gate is only useful if clearing it is realistic. FOSSA gives each issue three honest outcomes:

  • Remediate: upgrade or remove the dependency. On this site, all 5 security issues lived in Astro, so a single framework upgrade clears every one of them at once. FOSSA marks an issue remediated automatically once the dependency moves to a safe version or is removed.
  • Ignore or accept: for a flagged license you have reviewed and accepted, or a vulnerability that is not reachable in your usage, mark it ignored with a reason. It stops failing the gate but stays on the record.
  • Change policy: if the gate is flagging something your team has genuinely decided is fine (a weak-copyleft license you are comfortable with), the fix is the policy, not the dependency.

The goal is not zero findings. It is that every finding has a decision attached, and that no new one slips in unreviewed.

Reports and exports

Once the data is in, FOSSA exports it for the audiences that ask. The same scan produces:

  • An SBOM in SPDX or CycloneDX, for a customer or regulator.
  • An attribution and notice report, the open-source license notices many licenses require you to ship.
  • A machine-readable view of the project over the API, the same data the dashboard renders, which you can pull into your own tooling or a status board.

This is the back half of the SBOM lifecycle: the document is the easy part, and the reporting, gating, and monitoring around it are the actual product.

The checklist

The whole implementation, as a checklist:

  • ☐ Confirm you have admin rights on the GitHub repo (needed for the final step).
  • ☐ Quick Import the repo at app.fossa.com via GitHub OAuth or the GitHub App.
  • ☐ Let the first scan finish, then read the Licensing, Security, and Quality tabs.
  • ☐ Set license and quality policy under Project Settings, Policies, or propagate it org-wide.
  • ☐ Enable GitHub status checks for the project.
  • ☐ Set the failure condition: fail CI/CD checks on the issue filter you care about.
  • ☐ In GitHub branch protection, mark the FOSSA checks as Required.
  • ☐ Optional: add fossa analyze and fossa test to CI for non-GitHub pipelines and SBOM exports.
  • ☐ Triage the first backlog: remediate, ignore with a reason, or adjust policy.
  • ☐ Flip from warning to blocking once a green build is the norm.

Frequently asked questions

Does connecting FOSSA to my repo block merges by itself?

No. Connecting and enabling status checks makes FOSSA post a pass or fail check to your pull requests. The merge is only blocked once a GitHub admin marks that check as Required under branch protection. FOSSA reports; GitHub enforces.

Should I use the GitHub integration or the CLI?

Use the GitHub integration for the pull-request gate; it is the no-code path and triggers scans automatically. Use fossa-cli in CI when you need a monorepo, an unsupported host, or SBOM and attribution exports. Most teams use both.

Do I need a paid plan to gate on vulnerabilities?

Status checks and CI gating are core platform capabilities, but plan tiers and limits change over time, so confirm the current details with FOSSA. The mechanism, enable the scan type and then require the check, is the same regardless of plan.

What is the difference between remediating and ignoring an issue?

Remediating means the dependency was upgraded to a safe version or removed, which FOSSA detects automatically. Ignoring means a person reviewed the issue and accepted it with a reason. Both clear the gate; only one changes your code.

How do I gate only on new issues instead of the whole backlog?

Use fossa test --diff <revision> in the CLI to report only issues not present in a known-good revision, or set the policy failure filter so existing accepted issues do not fail the build. This keeps a noisy first scan from blocking every pull request.

Where do I see all issues across projects?

On the Issue Overview page, with separate Licensing, Security, and Quality tabs. Each issue is counted once no matter how many projects it appears in.

Keep reading

The SBOM lifecycle: before and after the document Most coverage of SBOMs stops at "here is how you generate one." Generating it is the cheap part. This walks the full lifecycle, because the value is on either side of the document. What is software composition analysis (SCA)? If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is. Who needs an SBOM? The regulations driving demand A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when.

Sources

Part of the software supply-chain field notes on this site. Written by Antoni K Pestka.