FOSSA's product and engineering teams have been busy shipping impactful new features in recent months to help organizations better manage open source license compliance, security, and transparency. Here's a look at some of the latest.
Custom Risk Scores for Vulnerability Management
Enterprise customers can now define and apply Custom Risk Scores to vulnerability issues. Rather than relying solely on global markers (like the CVSS base metric and EPSS), teams can assign internal scores that reflect their organization's specific risk tolerance and environment.
Custom Risk Scores appear as prominent badges directly on vulnerability issues in the UI, and users can add a free-text reason when assigning or updating a score. Security teams can also filter their vulnerability inbox by "Severity Source," making it easy to toggle between standard CVSS and internal scoring to focus on what truly matters to their organization. You can see an example of this feature in the image below.
Enhanced Snippet Management
In the months since releasing our snippet scanning product last fall, FOSSA has continuously added functionality to reduce noise and enable additional customization. Our most recent round of updates offers teams the ability to configure an Auto-Reject Threshold, automatically rejecting snippets below a minimum match percentage when a revision reaches steady state.
You can do this by heading over to your project settings and scrolling to the “Snippet Auto-Reject Threshold.” From there, users can check the box to enable threshold and specify a percentage match to automatically reject when below.
Additionally, snippets are now grouped by package by default, collapsing multiple versions of the same snippet under a single expandable row. Together, these changes reduce manual triage overhead and let teams focus their attention on the matches that genuinely warrant review.
Automated Malware Detection
We discussed FOSSA’s new malware detection capabilities on our blog earlier last month, but here’s a quick refresher for organizations that may have missed it. FOSSA Malware Detection helps teams combat the growing threat of supply chain attacks (such as Shai-Hulud and the recent axios malware) where malicious code is inserted into upstream open source components rather than targeting organizations directly.
The feature integrates with CI/CD pipelines to block malicious packages before they ship, offers broad cross-language ecosystem coverage, and continuously updates its threat intelligence. It's included at no extra cost for enterprise customers. (However, enterprise customers do need to make sure they have the Quality feature enabled within their account to use this feature.)
Release Group Issue Comparison
Teams managing complex, multi-project software releases can use the new Release Group Comparison feature to compare issues between two different releases within a Release Group. This simplifies the process of seeing what's new, what's been remediated, and what remains unchanged between releases. It also gives compliance and security teams a clear, auditable picture of risk trajectory rather than a snapshot of the current state.
Get Started with FOSSA
These updates reflect FOSSA's continued investment in giving compliance, security, and engineering teams the precision and control they need to manage open source risk at scale. Existing customers can reach out to their customer success representative for guidance on enabling any of these features. Not yet a FOSSA customer? Schedule a demo to see the platform in action.