Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.

Open issues
Closed issues
Last release
8 months ago
Last commit
7 months ago
Total releases
Total commits
Open PRs
Closed PRs
Repo URL
Project Website
Offers premium version?


fossa-cli is a zero-configuration polyglot dependency analysis tool. You can point fossa CLI at any codebase or build, and it will automatically detect dependencies being used by your project.

fossa-cli currently supports automatic dependency analysis for many different build tools and languages. It also has limited support for vendored dependency detection, container scanning, and system dependency detection. These features are still a work in progress. Our goal is to make the FOSSA CLI a universal tool for dependency analysis.

fossa-cli integrates with FOSSA for dependency analysis, license scanning, vulnerability scanning, attribution report generation, and more.

Table of Contents

  1. Installation
  2. Getting Started
  3. User Manual
  4. Reporting Issues
  5. Contributing

Installation Using the install script

FOSSA CLI provides an install script that downloads the latest release from GitHub Releases for your computer's architecture. You can see the source code and flags at for Mac and Linux or install-latest.ps1 for Windows.

NOTE: You may need to add the downloaded executable to your $PATH. The installer script will output the installed path of the executable. You can also use -b to pick the installation directory when using (see the source code for details).

macOS or 64-bit Linux

curl -H 'Cache-Control: no-cache' | bash
Windows with Powershell
Set-ExecutionPolicy Bypass -Scope Process -Force; iex  ((New-Object System.Net.WebClient).DownloadString(''))

Alternatively, install using Scoop:

scoop install fossa

Please refer to detailed walkthrough Installing FOSSA CLI, for installing FOSSA CLI 1.x and using GitHub Releases to install FOSSA CLI manually.

Getting Started Integrating your project with FOSSA TL;DR, Linux, Mac, *nix-like

# Download FOSSA.
curl -H 'Cache-Control: no-cache' | bash

Set your API key. Get this from the FOSSA web application.


Run an analysis in your project's directory.

cd $MY_PROJECT_DIR fossa analyze

TL;DR, Windows
# Download FOSSA.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex  ((New-Object System.Net.WebClient).DownloadString(''))

Set your API key. Get this from the FOSSA web application.


Run an analysis in your project's directory.

cd $MY_PROJECT_DIR fossa analyze

Installing FOSSA CLI

Follow the installation instructions above to install the FOSSA CLI. Once installed, you should have a new binary named fossa available on your $PATH.

Generating an API key

To get started with integrating your project into FOSSA, you'll need to generate an API key. You'll get this API key from the FOSSA web application (

Once you have your API key:

export FOSSA_API_KEY=XXXX # Use your API key here.
Running an analysis

Now we can run an analysis. To run an analysis, all you need to do is navigate to your project's directory and run fossa analyze.

NOTE: While fossa will try its best to report available results for any kind of project, you'll get the best results by running in a directory with a working project build. A working build lets us integrate directly with your build tool to identify dependencies, instead of trying to infer dependencies from your source code.

$ cd $MY_PROJECT_DIR # Use your actual project location here.

$ fossa analyze [ INFO] Using project name: [ INFO] Using revision: 09ca72e398bb32747b27c0f43731678fa42c3c26 [ INFO] Using branch: No branch (detached HEAD) [ INFO] ============================================================

  View FOSSA Report:


Viewing your results

Once an analysis has been uploaded, you can view your results in the FOSSA web application. You can see your analysis by using the link provided as output by fossa analyze, or by navigating to your project and revision in the FOSSA web application.

What next?

Now that your analysis is complete, there are a couple things you might want to do after an initial integration:

  • Double-check your results. Some analysis methods may produce partial or unexpected results depending on what information was available when you ran the analysis. If something seems wrong, our debugging guide can help you diagnose and debug your integration.

  • Scan for issues and generate a compliance report. Once your analysis is ready, we'll automatically queue an issue scan and report the results in the web application. Once an issue scan is complete, you can also generate a report from the web application.

  • Set up FOSSA in your CI. You can also use your issue scan results as inputs to CI scripts. For GitHub repositories, you can use FOSSA's native GitHub integration to report a status check on your PRs. For other CI integrations, you can also use fossa test to get programmatic issue status in CI.

User Manual

For most users, the FOSSA CLI will work out-of-the-box without any configuration. Just get an API key, run fossa analyze, and view your results in the FOSSA web application.

Users who need advanced customization or features should see the User Manual. Some common topics of interest include:

Reporting Issues

If you've found a bug or need support, the best way to get support is via the FOSSA support portal.

Make sure to include reproduction steps and any relevant project files (e.g. pom.xmls, package.jsons, etc.). Including the output from fossa analyze --debug in the email as well as any relevant fossa files (fossa-deps.json, .fossa.yml) will help expedite a solution.

We'll try to respond to issues opened in this repository on a best-effort basis, but we mostly provide support via the FOSSA support portal.


If you're interested in contributing, check out our contributor documentation. PRs are welcome!

Alternative Projects

Subscribe to Open Source Businees Newsletter

Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.

We'll never share your email with anyone else.