diff --git a/action.yml b/action.yml
index 05a83db..f99c9db 100644
--- a/action.yml
+++ b/action.yml
@@ -15,6 +15,8 @@ runs:
   steps:
     - uses: fortify/github-action/fod-sast-scan@main
       if: inputs['sast-scan']=='true' && env.FOD_URL 
+      env:
+        DO_DEBRICKED_SCAN: ${{ inputs['debricked-sca-scan'] }}
     - uses: fortify/github-action/sc-sast-scan@main
       if: inputs['sast-scan']=='true' && env.SSC_URL 
       env:
diff --git a/internal/run-script/scripts/common.sh b/internal/run-script/scripts/common.sh
index 73f4403..35abd6c 100644
--- a/internal/run-script/scripts/common.sh
+++ b/internal/run-script/scripts/common.sh
@@ -58,13 +58,17 @@ function run {
   for arg in "$@"; do
     # Expand environment variables that potentially contain multiple arguments.
     # This is commonly used for *_EXTRA_OPTS environment variables, needed to
-    # properly handle quoted arguments containing whitespace.
+    # properly handle quoted arguments containing whitespace. To allow composite
+    # actions to append extra arguments, we resolve both the given variable name
+    # and that same variable named prefixed with GHA_
     if [[ "$arg" == "__expand:"* ]]; then
-      local varName=${arg#"__expand:"}
-      if [ ! -z "${!varName}" ]; then
-        readarray -d '' expandedArgs < <(xargs printf '%s\0' <<<"${!varName}")
-        cmd+=("${expandedArgs[@]}")
-      fi
+      local varBaseName=${arg#"__expand:"}
+      for varName in $varBaseName GHA_$varBaseName; do
+        if [ ! -z "${!varName}" ]; then
+          readarray -d '' expandedArgs < <(xargs printf '%s\0' <<<"${!varName}")
+          cmd+=("${expandedArgs[@]}")
+        fi
+      done
     else
       cmd+=("$arg")
     fi
diff --git a/internal/set-fod-var-defaults/action.yml b/internal/set-fod-var-defaults/action.yml
index 9cbbded..6ed9f24 100644
--- a/internal/set-fod-var-defaults/action.yml
+++ b/internal/set-fod-var-defaults/action.yml
@@ -4,7 +4,8 @@ author: 'Fortify'
 runs:
   using: composite
   steps:
-    - if: ${{ !env.FOD_RELEASE }}
+    - name: Set default FoD release name
+      if: ${{ !env.FOD_RELEASE }}
       run: |
         export FOD_RELEASE="${APP}:${REL}"
         echo FOD_RELEASE=$FOD_RELEASE >> $GITHUB_ENV
@@ -13,6 +14,25 @@ runs:
       env:
         APP: ${{ github.repository }}
         REL: ${{ github.head_ref || github.ref_name }}
+    - name: Configure --oss setup / -oss package options if Debricked scan enabled
+      if: ${{ env.DO_DEBRICKED_SCAN=='true' }}
+      run: |
+        # Configure --oss setup / -oss package options if Debricked scan enabled. Note that
+        # composite actions can't override user-provided environment variables, so we use
+        # a GitHub Action specific environment variable that will be automatically expanded
+        # in internal/run-script/scripts/common.sh.
+        #
+        # Platform-independent regexes looking for -oss/--oss options with word boundaries
+        # See 'Optional reading' section at https://stackoverflow.com/a/12696899
+        PKG_REGEX="(^|[^[:alnum:]_])-oss([^[:alnum:]_]|$)"
+        SETUP_REGEX="(^|[^[:alnum:]_])--oss([^[:alnum:]_]|$)"
+        if [[ ! $EXTRA_PACKAGE_OPTS =~ $PKG_REGEX && ! $PACKAGE_EXTRA_OPTS =~ $PKG_REGEX ]]; then
+          echo "GHA_PACKAGE_EXTRA_OPTS=-oss" >> $GITHUB_ENV
+        fi 
+        if [[ ! $SETUP_EXTRA_OPTS =~ $SETUP_REGEX ]]; then
+          echo "GHA_SETUP_EXTRA_OPTS=--oss" >> $GITHUB_ENV
+        fi 
+      shell: bash
                 
 branding:
   icon: 'shield'
diff --git a/package/action.yml b/package/action.yml
index dbf9dc6..1188651 100644
--- a/package/action.yml
+++ b/package/action.yml
@@ -4,6 +4,7 @@ author: 'Fortify'
 runs:
   using: composite
   steps:
+    - uses: fortify/github-action/internal/set-fod-var-defaults@main
     - uses: fortify/github-action/internal/setup-java-for-sc-client@main
     - uses: fortify/github-action/setup@main
       with: