The company that keeps track of the open source inside your software - so shipping fast never quietly turns into a legal or security problem.
Roughly four out of every five lines in a modern application are open source code that no one on the team actually wrote. It arrives through package managers, containers, and - increasingly - AI coding assistants. FOSSA exists because someone still has to be accountable for all of it. The San Francisco company builds a platform that scans software continuously to answer three questions engineering, security, and legal teams keep asking: what open source is in here, is any of it vulnerable, and are we allowed to use it the way we are using it?
"FOSSA aims to eliminate the sacrifice between speed, compliance, and security in today's software-driven world."
Founded in 2015 by Kevin Wang, FOSSA started with a deceptively narrow problem: open source license compliance. Every open source component carries a license, and those licenses carry obligations - attribution, disclosure, sometimes the requirement to open your own code. Miss one and it can surface at the worst possible moment, usually during an acquisition or a security audit. FOSSA automated the grunt work of finding those obligations and turning them into reports.
From that beachhead the company expanded outward. Today the platform covers software composition analysis (SCA) for security vulnerabilities, Software Bill of Materials (SBOM) generation in the SPDX and CycloneDX standards, container scanning, binary analysis, and snippet detection for copied code. The through-line is consistent: give developers visibility and control over their software supply chain without making them slow down to get it.
What keeps FOSSA distinctive is where it sits. Many competitors lead with security scanning; FOSSA is equally fluent in the legal and compliance side, which matters enormously to enterprises that ship software to customers, regulators, or the government - all of whom increasingly demand a verifiable bill of materials.
The product philosophy is developer-first. FOSSA's command-line scanner is itself open source, licensed under MPL-2.0, and drops directly into CI/CD pipelines. Adoption tends to start with an engineer running a free scan and grows into an enterprise contract once legal and security teams see the value.
"Since 2015, FOSSA has worked to protect businesses from security, license compliance, and code quality risks in modern software development."
Modern software is assembled, not written. That speed is a gift, but it hides three liabilities in plain sight:
FOSSA turns each of these from a manual, end-of-cycle scramble into an automated, continuous check inside the pipeline.
FOSSA sells to engineering, security, and legal teams at enterprises and fast-growing software companies. Publicly cited customers include:
Beyond paying customers, a wide base of open source maintainers uses the free FOSSA CLI to add license and dependency checks to their own projects.
Automated detection of open source licenses, policy enforcement, and generation of attribution and disclosure reports on a continuous basis.
Generate, analyze, and share Software Bills of Materials in SPDX and CycloneDX for customers and regulators.
Finds vulnerabilities in direct and transitive dependencies, with reachability analysis to cut false positives.
Scans container images for open source components, licenses, and known vulnerabilities.
Detects copied open source code snippets to manage IP and copyright risk introduced by AI coding tools.
Free, MPL-2.0 command-line scanner that drops dependency analysis directly into CI/CD pipelines.
FOSSA competes in software composition analysis alongside Snyk, Mend, Black Duck (Synopsys), Sonatype, and newer entrants like Endor Labs. Where many rivals lead with security, FOSSA is unusually strong on the legal and compliance edge - license policy, attribution, and SBOMs - which is exactly the ground that regulation is now moving onto.
Two other differentiators stand out. Its reachability analysis tries to answer whether a vulnerability is actually exploitable in your app, cutting the alert fatigue that plagues scanners. And its 2024 Snippet Scanning product addresses a question most tools ignore: when an AI assistant writes your code, whose code is it copying?
FOSSA runs an open-core, B2B SaaS model. A free, open source CLI drives bottom-up developer adoption; a commercial subscription platform sells to enterprises, scaling to thousands of developers. Revenue comes primarily from annual enterprise contracts.
That structure - free tool first, enterprise deal later - is the same playbook that produced its earliest investor interest, and it is why FOSSA's brand is well known among individual engineers, not just procurement teams.
Earn developer trust first. Sell to the enterprise later.
FOSSA has raised roughly $35-41M across three disclosed rounds. Its seed round is notable for its angel roster - Salesforce CEO Marc Benioff, YouTube co-founder Steve Chen, and Skype co-founder Jaan Tallinn all wrote checks.
LEAD INVESTORS: BAIN CAPITAL VENTURES · COSTANOA VENTURES · CANVAS VENTURES · NORWEST
Kevin Wang founds FOSSA in San Francisco to automate open source management for developers.
Raises $2.2M led by Bain Capital Ventures with angels including Marc Benioff, and launches its public beta.
Raises $8.5M Series A led by Bain Capital Ventures and acquires design studio Dawn Labs.
Raises $23.2M to expand beyond licensing into security and SBOM management.
Launches Snippet Scanning for AI copyright risk and acquires developer tool community StackShare.
Named a Category Innovator in the Latio Application Security Report for SBOM Compliance Management and Patch Assistance.
Kevin Wang - Founder & Chairman. Started FOSSA in 2015 on a thesis about managing the open source that powers modern software.
Aaron Williams - Chief Executive Officer.
HQ: 114 SANSOME ST, SAN FRANCISCO, CA
Product walkthroughs, talks, and interviews from FOSSA's channels and the wider open source community.
FOSSA provides a software supply chain platform that automates open source license compliance, software composition analysis (SCA), vulnerability management, and SBOM generation across packages, containers, binaries, and code snippets.
FOSSA was founded in 2015 by Kevin Wang, who now serves as Chairman. Aaron Williams is CEO.
FOSSA serves enterprise engineering, security, and legal teams. Publicly cited customers include Uber, Zendesk, Twitter, Verizon, Fitbit, and UiPath.
FOSSA offers a free, open source command-line scanner licensed under MPL-2.0, alongside a commercial SaaS platform sold to enterprises.
FOSSA has raised roughly $35-41M across a $2.2M seed (2017), an $8.5M Series A (2019), and a $23.2M Series B (2020).