FOSSA
Software composition analysis tools
Vulnerability scanner software
DevSecOps software
Software bill of materials (SBOM) software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if FOSSA and its alternatives fit your requirements.
$20 per project per month
Free TrialFree version
Small
Medium
Large
- Media and communications
- Transportation and logistics
- Real estate and property management
What is FOSSA
FOSSA is a software composition analysis (SCA) platform that helps engineering and security teams identify open source dependencies, associated license obligations, and known vulnerabilities in application codebases. It integrates with source code repositories and CI/CD pipelines to automate dependency discovery, policy enforcement, and reporting. The product also supports generating and managing SBOMs to improve software supply chain visibility and compliance workflows.
SBOM generation and reporting
FOSSA supports producing SBOM artifacts and related reports that can be shared with customers or internal governance teams. It helps centralize dependency inventory and track changes over time. This is relevant for organizations responding to procurement requirements and software supply chain controls.
Strong open source license governance
FOSSA focuses heavily on identifying licenses across direct and transitive dependencies and mapping them to policy controls. It supports workflows for reviewing, approving, and documenting license exceptions to help organizations operationalize compliance. This emphasis is useful for teams that need auditable license reporting alongside security findings.
CI/CD and repo integrations
FOSSA integrates with common version control and build environments to run scans as part of pull requests and pipelines. This enables earlier detection of dependency and policy issues before release. Automated checks reduce manual review effort for engineering teams managing many repositories.
Primarily scoped to SCA
FOSSA’s core strength is open source dependency analysis, so it is not a full application security testing suite on its own. Organizations often still need separate tools for areas like runtime cloud posture, code quality analysis, or broader vulnerability management. This can increase toolchain complexity for teams seeking a single consolidated platform.
Results depend on dependency detection
As with SCA tools generally, accuracy depends on how dependencies are declared and built across different languages and packaging systems. Monorepos, custom build steps, vendored code, or unusual dependency resolution can require tuning to avoid missed or noisy findings. Teams may need to invest time to standardize build metadata and scanning configuration.
Policy tuning and triage overhead
Introducing license and vulnerability policies can initially generate a high volume of alerts, especially for legacy codebases. Teams typically need to tune rules, set severity thresholds, and establish exception processes to keep workflows manageable. Without this governance work, developers may experience friction in pull request and release processes.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Free | $0 per month (Free forever) | Limits: 5 projects, 10 contributing developers, 1 release group, 5 dependency levels for scans, 1 quality check, 5 imported SBOMs. Features: container scanning, dependency identification, basic email support, API access, SaaS (multi-tenant), limited filters, export SBOMs. |
| Business | $20 per project per month (billed annually) | For growing teams. Limits: 10 projects/SBOM imports, 10 contributing developers, 1 release group, unlimited dependency levels for scans, full suite of quality checks. Features: automated license & vulnerability scanning, multi-project reporting, priority support, unlimited imported SBOMs, create custom policies, priority email support, package index, ignore rules, saved filters. |
| Enterprise | Custom pricing (Contact sales) | For organizations needing custom deployment and enterprise features. Unlimited projects/developers/release groups, enterprise SLAs, custom retention policies, advanced compliance reporting, SSO, RBAC, enterprise-grade APIs, managed SaaS or on-prem deployment options. |
Seller details
FOSSA, Inc.
San Francisco, CA, USA
2015
Private
https://fossa.com/
https://x.com/fossas
https://www.linkedin.com/company/fossa/
