The JS Foundation needed a reliable, trustworthy, and automated way to monitor, manage, and maintain license compliance and dependency tracking across its major projects while also allowing each project to maintain its autonomy.
FOSSA works on a continuous basis, scanning all source files in a project and dependencies for license violations. It fully integrates with the development workflow, automatically triggering Slack notifications, blocking pull requests that bring in dependencies with incompatible licenses, and generating attribution reports with raw copyright headers to certify releases with compliance standards. FOSSA makes compliance easy and automated for developer teams to scale.
Real results were detected within minutes from the initial evaluation, which established trust early on and was a key factor during the selection process. FOSSA’s ability to integrate seamlessly into the developer workflow also made FOSSA the clear choice. “The ability for developers to adopt it naturally and choose it as part of a toolchain is awesome. We can easily enforce policies, increasing our visibility across all projects.”
Kris spearheaded the FOSSA deployment and chose to start with basic license checks across the main group of repositories for its major projects. The first step was to identify a project maintainer for each project to be set-up with a FOSSA account. Following the account set-up, each project maintainer was given the ability to enable per-commit scanning, integrations with their CI systems, or even Pull Request comments to run potential contributions against licensing standards. From start to finish, the initial deployment was kicked off in minutes, with a full deployment rolled out organically within the week.
"We found real results with FOSSA quickly. There was one instance where we found misleading metadata that looked like GPL code. Because the issue was flagged, we were able to get way ahead of the issue."
Implementing FOSSA lessened the burden of manual tracking across both legal and development teams through automated and continuous license compliance scanning. More importantly, FOSSA certifications were proven to run with audit-grade detail, and have instilled a sense of trust that real issues are being tracked, monitored, and flagged.
"Knowing FOSSA is protecting our projects has been the biggest value to us. It would otherwise take hundreds of man-hours to comb through every dependency across every project."
"If I’m a business and see a FOSSA badge, it’s a huge plus for ensuring license compliance certification."