License compliance is the part of open source management that nobody wants to think about until legal sends an email. FOSSA has built its business on making license compliance manageable, and their platform has matured into a serious enterprise tool that goes beyond just checking license headers.
What FOSSA Does
FOSSA scans your codebase and its dependencies to identify every open source component and its associated license. It then evaluates those licenses against your organization's compliance policies and flags conflicts, obligations, and risks.
The platform covers two primary use cases: license compliance (are we legally allowed to use this software in this way?) and vulnerability management (does this software have known security issues?). FOSSA started with license compliance and added vulnerability scanning later, which means the license features are significantly more mature than the security features.
License Detection
FOSSA's license detection goes deeper than reading a LICENSE file. It analyzes package metadata, license headers in source files, and even code snippets that match known licensed code patterns. This multi-layered detection catches cases where:
- A package declares MIT in its package.json but includes GPL-licensed source files
- A dependency bundles third-party code with a different license than the parent
- License headers are missing or inconsistent across files
The detection accuracy is strong for well-known licenses. FOSSA correctly identifies MIT, Apache 2.0, GPL variants, BSD variants, and MPL with high reliability. For less common or custom licenses, detection can be inconsistent, and manual review is sometimes necessary.
FOSSA also tracks license obligations. A GPL dependency does not just mean "this is copyleft." It means specific obligations around source code distribution, modification notices, and license propagation. FOSSA maps these obligations and generates compliance reports that your legal team can actually use.
Policy Engine
The policy engine is FOSSA's strongest feature. You define rules about what licenses are acceptable, what licenses require review, and what licenses are prohibited. Policies can be global or scoped to specific projects, teams, or deployment contexts.
Context-aware policies are particularly useful. Using a GPL library in an internal tool might be fine. Using the same library in a customer-facing product is not. FOSSA lets you create different policy stacks for different contexts, which reflects how license compliance actually works in large organizations.
When a policy violation is detected, FOSSA can block CI builds, create Jira tickets, send Slack notifications, or just flag the issue for review. The enforcement options are flexible enough to match your organization's risk appetite.
SBOM Generation
FOSSA generates SBOMs in SPDX and CycloneDX formats. The SBOMs include license information for each component, which is required by SPDX but often missing from SBOMs generated by security-focused tools.
The SBOM quality is good for compliance purposes. Every component includes a package URL, license identifier, and copyright information where available. For organizations that need to deliver SBOMs to customers (which is increasingly common in regulated industries), FOSSA's SBOMs are more complete on the license front than those from Syft or Trivy.
Vulnerability Management
FOSSA's vulnerability detection works but is not its primary strength. It checks dependencies against the NVD and its own vulnerability database. The findings are comparable to mid-tier SCA tools but lack the depth and remediation guidance of dedicated platforms like Snyk.
Where FOSSA adds value on the vulnerability side is in combining vulnerability data with license data. A vulnerable dependency that is also under a restrictive license is a higher priority to replace than one that is just vulnerable. FOSSA surfaces these compound risks.
Language and Ecosystem Support
FOSSA supports over 20 package managers across all major languages. The coverage includes npm, pip, Maven, Gradle, Go modules, Cargo, CocoaPods, NuGet, Composer, and more. The depth of analysis varies by ecosystem, with Java and JavaScript being the most thorough.
FOSSA also analyzes vendored dependencies and archived files. If a project includes a tarball of a third-party library, FOSSA attempts to identify it through content fingerprinting. This catches dependencies that are not managed through a package manager, which is common in C/C++ projects and legacy codebases.
Integration and Workflow
FOSSA integrates with GitHub, GitLab, Bitbucket, and Azure DevOps for repository scanning. CI integration is available through a CLI that can be added to any pipeline. The CLI is lightweight and fast, adding less than a minute to most builds.
The FOSSA dashboard provides organizational visibility into license compliance status across all projects. This roll-up view is critical for compliance teams who need to certify that the entire organization is meeting its open source obligations.
FOSSA also provides an attribution report generator. When your product includes open source software and your license obligations require attribution (most do), FOSSA generates a formatted notice file that lists all components, their licenses, and copyright holders. Maintaining this manually is tedious and error-prone. Automating it saves significant legal and engineering time.
Pricing
FOSSA offers a free tier for open source projects. Paid plans are enterprise-focused and priced based on the number of projects and developers. The pricing is competitive with other enterprise SCA tools but can escalate for large organizations with many repositories.
Limitations
FOSSA's vulnerability management is adequate but not best-in-class. Organizations with serious vulnerability management requirements will likely need a dedicated SCA tool alongside FOSSA.
The license detection for custom and rare licenses requires manual classification. If your codebase includes software with non-standard license terms, expect some initial setup work to train the system.
FOSSA's analysis is primarily dependency-based. It does not perform deep code analysis for license compliance in the way tools like ScanCode Toolkit do. Embedded code snippets from Stack Overflow or copied utility functions may not be detected.
How Safeguard.sh Helps
Safeguard.sh complements FOSSA's license compliance focus with comprehensive supply chain security management. While FOSSA ensures your open source usage is legally compliant, Safeguard.sh tracks the security posture of those same components through vulnerability monitoring, SBOM lifecycle management, and policy enforcement. Organizations that use both tools cover both the legal and security dimensions of open source risk, with Safeguard.sh providing the unified dashboard where compliance and security data converge.