Integrate FOSSology with Vulnetix. Deploy FOSSology via Docker Compose, upload source archives, run licence scans, and export SPDX or CycloneDX SBOMs via the REST API for Vulnetix ingestion.
CLI toolSPDXCycloneDXJSONCSV
Install & scan
$ # Docker Compose (recommended)
git clone https://github.com/fossology/fossology
cd fossology
docker compose up -d
# UI available at http://localhost:8081 (fossy/fossy)
$ # Authenticate and get API token
FOSSOLOGY_URL="http://localhost:8081"
TOKEN=$(curl -s -X POST "$FOSSOLOGY_URL/api/v2/tokens" -H "Content-Type: application/json" -d '{"username":"fossy","password":"fossy","token_name":"ci","token_scope":"write","token_expire":"2025-12-31"}' | jq -r '.Authorization')
# Upload source archive
UPLOAD_ID=$(curl -s -X POST "$FOSSOLOGY_URL/api/v2/uploads" -H "Authorization: Bearer $TOKEN" -F "fileInput=@my-project.tar.gz" -F "folderId=1" | jq -r '.message')
echo "Upload ID: $UPLOAD_ID — wait for analysis, then export CycloneDX SBOM"
Run FOSSology in CI
Scan on every push and upload the results to Vulnetix:
- name: Start FOSSology
run: |
git clone --depth=1 https://github.com/fossology/fossology
cd fossology && docker compose up -d
sleep 30
- name: Upload and scan
run: |
TOKEN=$(curl -s -X POST "http://localhost:8081/api/v2/tokens" -H "Content-Type: application/json" -d '{"username":"fossy","password":"fossy","token_name":"ci","token_scope":"write","token_expire":"2026-01-01"}' | jq -r '.Authorization')
UPLOAD_ID=$(curl -s -X POST "http://localhost:8081/api/v2/uploads" -H "Authorization: Bearer $TOKEN" -F "fileInput=@project.tar.gz" -F "folderId=1" | jq -r '.message')
echo "UPLOAD_ID=$UPLOAD_ID" >> $GITHUB_ENV
Centralise FOSSology results in Vulnetix
Upload FOSSology SPDX, CycloneDX, JSON, CSV output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.