Try our new research platform with insights from 80,000+ expert users

FOSSA vs Mend.io comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Nov 5, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

FOSSA
Ranking in Software Composition Analysis (SCA)
8th
Average Rating
8.6
Reviews Sentiment
7.9
Number of Reviews
15
Ranking in other categories
No ranking in other categories
Mend.io
Ranking in Software Composition Analysis (SCA)
7th
Average Rating
8.4
Reviews Sentiment
7.1
Number of Reviews
31
Ranking in other categories
Application Security Tools (17th), Static Code Analysis (4th), Software Supply Chain Security (1st)
 

Mindshare comparison

As of October 2025, in the Software Composition Analysis (SCA) category, the mindshare of FOSSA is 3.1%, down from 3.6% compared to the previous year. The mindshare of Mend.io is 7.3%, down from 8.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA) Market Share Distribution
ProductMarket Share (%)
Mend.io7.3%
FOSSA3.1%
Other89.6%
Software Composition Analysis (SCA)
 

Featured Reviews

Hanumanth Ramsetty - PeerSpot reviewer
Proactively mitigate deployment vulnerabilities with seamless dependency tracking
Before using FOSSA, we could only identify issues after deployment in the Cloud Run. Now, with FOSSA, we identify dependency issues or vulnerabilities during the CI phase itself. This proactive approach has eliminated the need to search the internet for solutions, as FOSSA provides updated recommendations automatically. This has made the process more efficient and mitigated risks before deployment.
meetharoon - PeerSpot reviewer
Enables smooth management of vulnerabilities and promotes a shift towards a culture of security
We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions. We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions. Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions. Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience. In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"FOSSA suggests solutions for dependency mismatches."
"Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues."
"The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."
"What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."
"I am impressed with the tool’s seamless integration and quick results."
"Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices."
"FOSSA allows us to keep track of all dependencies to ensure they are up to date and not causing any vulnerabilities."
"The most valuable feature is its ability to identify all of the components in a build, and then surface the licenses that are associated with it, allowing us to make a decision as to whether or not we allow a team to use the components. That eliminates the risk that comes with running consumer software that contains open source components."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"The solution is scalable."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"Mend.io is a security tool that provides security feedback for all tests."
"The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
 

Cons

"I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI."
"I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support."
"If you have thousands of applications, organizing them all into teams or tags is challenging."
"On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying."
"The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from."
"FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually."
"The technical support has room for improvement."
"On the legal and policy sides, there is some room for improvement. I know that our legal team has raised complaints about having to approve the same dependency multiple times, as opposed to having them it across the entire organization."
"The initial setup could be simplified."
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't."
"The main consideration is the cost. The products always have their maturity."
"The dashboard UI and UX are problematic."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"The solution lacks the code snippet part."
"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
 

Pricing and Cost Advice

"FOSSA is not cheap, but their offering is top-notch. It is very much a "you get what you pay for" scenario. Regardless of the price, I highly recommend FOSSA."
"FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it."
"The solution's pricing is good and reasonable because you can literally use a lot of it for free."
"Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market. It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team."
"The solution's cost is a five out of ten."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
"Pricing is competitive."
"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
"WhiteSource is much more affordable than Veracode."
"This is an expensive solution."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
871,469 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
21%
Computer Software Company
10%
Financial Services Firm
10%
Educational Organization
8%
Financial Services Firm
17%
Computer Software Company
14%
Manufacturing Company
11%
Insurance Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business5
Midsize Enterprise1
Large Enterprise8
By reviewers
Company SizeCount
Small Business10
Midsize Enterprise3
Large Enterprise17
 

Questions from the Community

What is your experience regarding pricing and costs for FOSSA?
The solution's pricing is good and reasonable because you can literally use a lot of it for free. You have to pay for the features you need, which I think is fair. If you want to get value for free...
What needs improvement with FOSSA?
FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually. Some other tools like Check Point or SonarQube provide exact lin...
What is your primary use case for FOSSA?
I have worked with FOSSA primarily to manage the dependencies in our projects. For example, if I take a Spring Boot application, FOSSA helps in identifying mismatches or unsupported dependencies th...
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
 

Comparisons

 

Also Known As

No data available
WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
 

Overview

 

Sample Customers

AppDyanmic, Uber, Twitter, Zendesk, Confluent
Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Find out what your peers are saying about FOSSA vs. Mend.io and other solutions. Updated: September 2025.
871,469 professionals have used our research since 2012.