Fossa configuration file

FOSSA CLI's .fossa.yml configuration file

Type object
File match .fossa.yml
Schema URL https://catalog.lintel.tools/schemas/schemastore/fossa-configuration-file/latest.json
Source https://raw.githubusercontent.com/fossas/fossa-cli/master/docs/references/files/fossa-yml.v3.schema.json

Validate with Lintel

npx @lintel/lintel check
Type: object

.fossa.yaml specification for FOSSA CLI 2.x or greater

Properties

version integer required

Specifies the version of configuration file. Versions 1 and 2 were used by CLI versions up until CLI 2.0.0 and are no longer supported.

CLI 2.x and greater only supports version 3.

Constant: 3
server string

Sets the endpoint that the CLI will send requests to. This field should only be modified if your FOSSA account lives on a different server than app.fossa.com.

This is most commonly needed with on-premise instances of FOSSA.

minLength=1
apiKey string

Sets the https://docs.fossa.com/docs/api-reference#api-tokens that is required for accessing the FOSSA API and uploading data (e.g. fossa analyze) or retrieving information (e.g. fossa test) about a project.

minLength=1
project object

The project fields allow you to configure settings for the project you are interacting with through the FOSSA API.

12 nested properties
locator string

The project Locator defines a unique ID that the FOSSA API will use to reference this project within FOSSA. The project locator can be found in the UI on the project Settings page listed as the Project Locator underneath the Project Title setting.

minLength=1
id string

The project ID defines a unique ID that the FOSSA API will use to reference this project within your organization. The project ID is a specific portion of the project locator and can be found in the UI on the project Settings page listed as the Project Locator underneath the Project Title setting.

By default, it will use git remote origin url as project id if it's git repository. If it does not recognize version control system (vcs), project directory's name will be used.

minLength=1
name string

The name field sets the projects visible name in the FOSSA dashboard. By default, this will be set to the project's ID.

minLength=1
team string

The name of the team in your FOSSA organization to associate this project with.

minLength=1
teams string[]

A list of team names in your FOSSA organization to associate this project with.

policy string

The name of the policy in your FOSSA organization to associate this project with. Mutually excludes project.policyId.

minLength=1
policyId integer

The id of the policy in your FOSSA organization to associate this project with. Mutually excludes project.policy.

minLength=1
link string

An external link that will appear in the FOSSA UI for this specific project.

minLength=1
url string

The URL of your project that will appear in FOSSA. This URL is intended to be the URL to the repository of this project.

minLength=1
jiraProjectKey string

The Jira Project Key to associate with your project for improved issue triage. Refer to https://docs.fossa.com/docs/atlassian-jira#linking-fossa-projects-to-jira-projects for more information.

minLength=1
releaseGroup object

The name: and release: of the release group's release to add your project to in the FOSSA dashboard. If you choose to associate a project with a release group, you must supply both name and release.

2 nested properties
name string required

The name of release group.

minLength=1
release string required

The release associated with the release group

minLength=1
labels string[]

A list of labels that are assigned to the project

releaseGroup object

The releaseGroup field allows you to configure settings for the release group you are interacting with through the FOSSA API.

7 nested properties
title string

The title of the release group which can be seen in the FOSSA dashboard.

minLength=1
release string

The release associated with the release group.

minLength=1
releaseGroupProjects object[]
licensePolicy string

The name of the license policy associated with the release group.

minLength=1
securityPolicy string

The name of the security policy associated with the release group.

minLength=1
qualityPolicy string

The name of the quality policy associated with the release group.

minLength=1
teams string[]

A list of team names that are associated with the release group.

telemetry object

The telemetry fields are used to configure telemetry data collection and it's destination.

2 nested properties
scope string

project branch is an optional setting used for organizing project revisions in the FOSSA UI. The branch field is intended to function similar to how Git defines a branch.

One of: const: "full" const: "full", const: "off" const: "off"
commit string

The commit is used to identify a specific scan for a project (determined by project.id). This is intended to be used identically to how Git treats commit hashes. If not provided, cli will parse current HEAD state from .git directory. If project does not have version control system, unix timestamp will be used.

minLength=1
vendoredDependencies object

the vendoredDependencies fields allow you to configure vendored dependency scans. Vendored dependency scans are described in https://github.com/fossas/fossa-cli/blob/master/docs/features/vendored-dependencies.md

3 nested properties
forceRescans boolean

If true, forces a re-scan of all vendored dependencies on every run. If false or not present, then we do not re-scan vendored dependencies that have been previously scanned. A vendored dependency has been previously scanned if a dependency with the same name and version has already been scanned by your organization. If no version is provided, then any change in the files being scanned will result in a rescan.

scanMethod string
One of: const: "ArchiveUpload" const: "ArchiveUpload", const: "CLILicenseScan" const: "CLILicenseScan"
licenseScanPathFilters object

licenseScanPathFilters allows you to filter which files are scanned when doing a CLILicenseScan. This setting does not apply if you use the ArchiveUpload method of scanning vendoredDependencies.

2 nested properties
only string[]

A list of globs that will be used to filter paths. If there are any entries in the only list, then only paths that match one or more of the globs in the only list will be scanned for licenses.

exclude string[]

A list of globs that will be used to filter paths. If there are any entries in the exclude list, then paths that match any of the exclude entries will not be scanned for licenses.

revision object
customLicenseSearch grepDefinition[]
experimentalKeywordSearch grepDefinition[]
reachability object

Controls the Reachability computation functionality

1 nested properties
jvmOutputs Record<string, string[]>

Manually specify the list of JAR files output by each discovered Maven or Gradle project

ignoreOrgWideCustomLicenseScanConfigs boolean

Ignore custom-license scan configurations for your organization. These configurations are defined in the Integrations section of the Admin settings in the FOSSA web app.

Default: false
targets object

The targets filtering allows you to specify the exact targets which be should be scanned.

3 nested properties
only targetFilter[]

The list of only targets that should be scanned.

exclude targetFilter[]

The list of exclude targets which should be excluded from scanning. The targets listed in the exclude section will override the targets listed in the only sections.

This feature is used most effectively to remove specific targets from a directory.

excludeManifestStrategies boolean

If set to true, all manifest-based strategies for discovering targets will be skipped. This has the effect of only searching dependencies explicitly specified in fossa-deps.yml. This setting will override any target filters or path filters.

Default: false
paths object

The paths filtering section allows you to specify which paths should be scanned and which should not. The paths should be listed as their location from the root of your project.

2 nested properties
only string[]

The list of paths to only allow scanning within.

exclude string[]

The list of paths to exclude from scanning in your directory.

maven object
One of: variant, variant
2 nested properties
scope-only string[]

The list of scopes to only allow scanning in your maven project.

scope-exclude string[]

The list of scopes to exclude from scanning in your maven project.

Definitions

project object

The project fields allow you to configure settings for the project you are interacting with through the FOSSA API.

locator string

The project Locator defines a unique ID that the FOSSA API will use to reference this project within FOSSA. The project locator can be found in the UI on the project Settings page listed as the Project Locator underneath the Project Title setting.

minLength=1
id string

The project ID defines a unique ID that the FOSSA API will use to reference this project within your organization. The project ID is a specific portion of the project locator and can be found in the UI on the project Settings page listed as the Project Locator underneath the Project Title setting.

By default, it will use git remote origin url as project id if it's git repository. If it does not recognize version control system (vcs), project directory's name will be used.

minLength=1
name string

The name field sets the projects visible name in the FOSSA dashboard. By default, this will be set to the project's ID.

minLength=1
team string

The name of the team in your FOSSA organization to associate this project with.

minLength=1
teams string[]

A list of team names in your FOSSA organization to associate this project with.

policy string

The name of the policy in your FOSSA organization to associate this project with. Mutually excludes project.policyId.

minLength=1
policyId integer

The id of the policy in your FOSSA organization to associate this project with. Mutually excludes project.policy.

minLength=1
link string

An external link that will appear in the FOSSA UI for this specific project.

minLength=1
url string

The URL of your project that will appear in FOSSA. This URL is intended to be the URL to the repository of this project.

minLength=1
jiraProjectKey string

The Jira Project Key to associate with your project for improved issue triage. Refer to https://docs.fossa.com/docs/atlassian-jira#linking-fossa-projects-to-jira-projects for more information.

minLength=1
releaseGroup object

The name: and release: of the release group's release to add your project to in the FOSSA dashboard. If you choose to associate a project with a release group, you must supply both name and release.

2 nested properties
name string required

The name of release group.

minLength=1
release string required

The release associated with the release group

minLength=1
labels string[]

A list of labels that are assigned to the project

telemetry object

The telemetry fields are used to configure telemetry data collection and it's destination.

scope string

project branch is an optional setting used for organizing project revisions in the FOSSA UI. The branch field is intended to function similar to how Git defines a branch.

One of: const: "full" const: "full", const: "off" const: "off"
commit string

The commit is used to identify a specific scan for a project (determined by project.id). This is intended to be used identically to how Git treats commit hashes. If not provided, cli will parse current HEAD state from .git directory. If project does not have version control system, unix timestamp will be used.

minLength=1
revision object

The revision fields are used to help FOSSA differentiate between one upload for a project and another, just as GitHub uses commit hashes and branch names.

branch string

project branch is an optional setting used for organizing project revisions in the FOSSA UI. The branch field is intended to function similar to how Git defines a branch.

minLength=1
commit string

The commit is used to identify a specific scan for a project (determined by project.id). This is intended to be used identically to how Git treats commit hashes. If not provided, cli will parse current HEAD state from .git directory. If project does not have version control system, unix timestamp will be used.

minLength=1
targetFilter object
type string

Target (package manager)

One of: const: "bundler" const: "bundler", const: "cargo" const: "cargo", const: "carthage" const: "carthage", const: "cocoapods" const: "cocoapods", const: "composer" const: "composer", const: "conda" const: "conda", const: "glide" const: "glide", const: "godep" const: "godep", const: "gradle" const: "gradle", const: "leiningen" const: "leiningen", const: "maven" const: "maven", const: "mix" const: "mix", const: "npm" const: "npm", const: "nimble" const: "nimble", const: "pub" const: "pub", const: "rebar3" const: "rebar3", const: "rpm" const: "rpm", const: "renv" const: "renv", const: "scala" const: "scala", const: "swift" const: "swift", const: "yarn" const: "yarn", const: "repomanifest" const: "repomanifest", const: "cabal" const: "cabal", const: "stack" const: "stack", const: "nuspec" const: "nuspec", const: "packagereference" const: "packagereference", const: "paket" const: "paket", const: "projectassetjson" const: "projectassetjson", const: "pipenv" const: "pipenv", const: "poetry" const: "poetry", const: "setuptools" const: "setuptools", const: "perl" const: "perl", const: "pnpm" const: "pnpm", const: "pdm" const: "pdm", const: "uv" const: "uv"
path string

Associated path with target type (if any)

experimental object

Experimental preferences with fossa cli.

gradle object

Gradle preferences for all targets

1 nested properties
configurations-only string[]

Configurations to only include in analysis (by default excludes any other configurations not listed)

minItems=1uniqueItems=true
vendoredDependencies object

the vendoredDependencies fields allow you to configure vendored dependency scans. Vendored dependency scans are described in https://github.com/fossas/fossa-cli/blob/master/docs/features/vendored-dependencies.md

forceRescans boolean

If true, forces a re-scan of all vendored dependencies on every run. If false or not present, then we do not re-scan vendored dependencies that have been previously scanned. A vendored dependency has been previously scanned if a dependency with the same name and version has already been scanned by your organization. If no version is provided, then any change in the files being scanned will result in a rescan.

scanMethod string
One of: const: "ArchiveUpload" const: "ArchiveUpload", const: "CLILicenseScan" const: "CLILicenseScan"
licenseScanPathFilters object

licenseScanPathFilters allows you to filter which files are scanned when doing a CLILicenseScan. This setting does not apply if you use the ArchiveUpload method of scanning vendoredDependencies.

2 nested properties
only string[]

A list of globs that will be used to filter paths. If there are any entries in the only list, then only paths that match one or more of the globs in the only list will be scanned for licenses.

exclude string[]

A list of globs that will be used to filter paths. If there are any entries in the exclude list, then paths that match any of the exclude entries will not be scanned for licenses.

grepDefinition object

defines a search for a custom license or a keyword.

matchCriteria string required

A regular expression used to find a keyword or custom license

minLength=1
name string required

The name of the keyword or custom license found by the regular expression defined in matchCriteria

minLength=1
releaseGroup object

The releaseGroup field allows you to configure settings for the release group you are interacting with through the FOSSA API.

title string

The title of the release group which can be seen in the FOSSA dashboard.

minLength=1
release string

The release associated with the release group.

minLength=1
releaseGroupProjects object[]
licensePolicy string

The name of the license policy associated with the release group.

minLength=1
securityPolicy string

The name of the security policy associated with the release group.

minLength=1
qualityPolicy string

The name of the quality policy associated with the release group.

minLength=1
teams string[]

A list of team names that are associated with the release group.