SBOM Starter Kit: Get Your Copy

Start for Free.
Scale as you go.


For small teams looking to get started with open source security compliance
for up to 25 code contributors
Start for Free
Vulnerability Management
Automated License Compliance
Container Scanning
Up to 25 Code Contributors
Up to 5 Projects


For growing teams that need more customization and workflow integrations
Prioritize remediation with custom security policies and advanced filters
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
per code contributor (5 to 25)
Get Started
Everything in Free, plus:
Custom Policies
Audit-Grade Reporting
Advanced Security Add-on Available
From 5 to 25 Code Contributors
Up to 10 Projects


For organizations that need advanced security and compliance automation at scale
Custom Pricing
Contact Us
Everything in Business, plus:
Advanced Security Filters
C/C++ Security and License Scanning
Dedicated Slack Channel
25+ Code Contributors
Unlimited Projects

Add-ons to fit your needs

SBOM Management Add-On

Advanced software bill of materials management to meet regulatory requirements, manage supplier risk, and securely distribute SBOMs at scale
starting at
Contact Us
Meet SBOM requirements from the FDA, PCI-DSS, and others
Continuously monitor third party SBOMs
Securely share SBOMs through your private distribution portal
Scale to hundreds of applications and suppliers

Compare Plans

Main Features

Code Contributors
Unique committers to private repos that are running FOSSA
Up to 25
A repository or container that is running FOSSA
Up to 10
Release Groups
Bundle multiple projects to track as a group
API Support
Access FOSSA data via the public API
Package Index
View and search all packages used across your organization
Ignore Rules
Reduce rework by ignoring issues that you've already cleared
Issues Filters
Prioritization filters to identify the most critical issues
Saved Filters
Prioritization filters to identify the most critical issues

Code Scanning

Source Code Scanning
Scan and detect direct and indirect dependencies in your code
Transitive Dependency Discovery
Identification of dependencies transitively introduced by direct dependencies
Quick import (Github)
Connect to your code host to easily scan your projects
CI/CD Integration
Use your personal or build machine to scan your projects
Container Scanning
Scan base container images
Dependency Scan Depth Levels
The depth of components and dependencies FOSSA identifies
Policy/Issue Scan Depth Levels
The dependency depth for which FOSSA will surface security, licensing and quality issues


Vulnerability Identification
Identify security issues in your open source dependencies
Vulnerability Management
Understand and remediate security issues
Reachability Analysis
Determine if vulnerable code is actually executed in your application
Advanced Filters
Prioritze remediation efforts with filters for exploitability, exploit maturity, and more
Custom Security Policies
Create and enforce custom rules for open source vulnerabilities

License Compliance

License Compliance Idenfitification
policy scans to identify compliance issues in your open source dependencies
License Compliance Management
Understand and remediate compliance issues
Default License Policies
Pre-configured rules for open source licenses, built by legal experts
Custom License Policies
Create and enforce custom rules for open source licenses
Declared Licenses
Identify licenses explicitly declared in package manifests
Discovered Licenses
Detect licenses from component analysis, even if not explicitly declared


Package Health Signals
Understand the integrity of your open source components
Outdated Packages Only
Default Quality Policy
Pre-configured rules around component integrity
Custom Quality Policies
Create and enforce custom rules for component integrity

SBOM Management

SBOM Generation
Generate an SBOM from a repository scan. Supports CycloneDX and SPDX formats
SBOM Import
Import SBOMs created by others
Up to 5
Up to 10
Automated VEX Annotations
Application SBOM
Generate an application-level SBOM to meet regulatory and customer requirements
SBOM Distribution Portal


3rd-Party Attribution Report
Audit-ready attributions that include raw copyright notices that you can distribute to users
Audit/Due-Diligence Report
Organization-wide report on issues and project changes
Global Issues Report
Organization-wide report on issue status and remediation progress over time


Audit Logs
Audited log of actions taken by users
Jira Integration
Automatically create Jira tickets with full context and remediation guidance
Slack Integration
Real-time notifications in slack when new issues are discovered
Single-Sign On (SSO)
Access to SSO services such as Google, Github, etc
Role-Based Access Control (RBAC)
Control over roles and permissions for all organizational users

Customer Success & Technical Support

Basic Email Support
Round-robin support via
Priority Email Support
Dedicated support engineer* and priority handling *Dedicated support engineer provided at FOSSA discretion
Customer Success Manager & Engineer
Includes guided onboarding, continuous enablement & ongoing goals, success mapping, and dedicated slack channel  
Service Level Agreements (SLAs)
SLAs for support and escalation response times


SaaS (multi-tenant cloud)
Secure, scalable multi-tenant cloud deployment
Managed SaaS (single-tenant cloud)
Dedicated cloud instance managed by FOSSA
Optionally deploy FOSSA onto your own infrastructure

Frequently Asked Questions

How does code contributor pricing work?

We track unique committers to private repos that are actively running in FOSSA with no limit on repo count. You can start off with fewer active repos/teams and easily scale across your org.

Why code contributor pricing?

Our pricing scales directly with the number of developers on your team who contribute code to private repos that are actively running in FOSSA. Contact us about cases of contributors outside your staff.

Do you discount non-commercial projects?

We offer special plans for non-profit, educational institution, and open source project budgets.

Do you offer annual plans?

Yes, we do! Contact us for details. On-prem deployments are priced annually by default.