Skip to main content

License compliance

Semgrep Supply Chain's license compliance feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license.

Semgrep Supply Chain Dependencies tab with licenses listed Figure. Semgrep Supply Chain's License configuration tab with licenses and permissions listed.

Prerequisites and feature support

Viewing licenses

To view a package's license:

  1. Sign in to Semgrep AppSec Platform.
  2. Click Supply Chain > Dependencies. Detected licenses are listed in the row for a given package.

Blocking, commenting, or allowing licenses

This section provides guides on blocking or allowing packages in CI pipelines based on the license of a package.

Types of license policies

Licenses in Semgrep are assigned the following policies:

Allow
Packages with licenses assigned this type of permission are allowed for use in the codebase.
Comment
Packages with licenses assigned this type of permission are allowed for use in the codebase. A comment is added to the PR or MR that introduces the package into the codebase. This permission can be useful when you want to remind or warn developers to use certain licenses for internal use only.
Block
Packages with licenses assigned this type of permission are not allowed into the codebase. A comment is added to the PR or MR that introduces the package into the codebase.
tip

By default, all licenses are set to Allow. You must configure your policies to block or leave comments on licenses.

To change the policies of packages based on the license:

  1. From the Supply Chain page, click License configuration on the header menu.
  2. Browse the available licenses within the License configuration section. License configuration section Figure. The Supply Chain > Settings > License configuration section.
  3. Click the permission (Allow, Comment, or Block) you want to set the license to.
  4. Optional: Block entire categories of licenses by clicking on the Set all to drop-down box next to the license category.

License categories

This section describes license categories and licenses identified by Semgrep Supply Chain.

Software using a package with a weak copyleft license may have to maintain the same license as the package in specific cases. To clarify when this applies, consult your legal department. Developers typically choose these packages based on individual cases, so it's suggested to monitor their usage to ensure license compliance.

  • LGPL-3.0
  • LGPL-2.1
  • MPL-2.0
  • EPL-2.0
  • OSL-3.0
  • EUPL-1.2

Software using a package with a copyleft license must maintain the same license as the package. To prevent license complications, developers often avoid packages using these licenses.

  • GPL-3.0
  • GPL-2.0
  • AGPL-3.0
  • AGPL-2.0
  • CC-BY-SA-4.0
  • APSL

Software using a package with a permissive license have minimal restrictions on how the software can be used or modified. This makes permissive licenses popular among developers for their flexibility and ease of use without legal concerns.

  • MIT
  • Apache-2.0
  • BSD-3
  • BSD-2
  • BSD-3-Clause
  • BSD-2-Clause
  • CC_BY-4.0
  • WTFPL
  • MS-PL
  • Unlicensed

Other licenses

Other licenses include licenses that are not yet categorized by Semgrep Supply Chain, or are not included in the previous categories. These licenses include all other standard Software Package Data Exchange (SPDX) licenses.

caution

The Other license category may include copyleft or permissive licenses. Consult your legal department before using licenses in this category.

Multiple licenses

Some packages allow multiple licenses. Semgrep treats packages with multiple licenses as if all licenses apply, and behaves according to the strictest policy. For example, if a package allows use under either an MIT license or a GPL-3.0 license, and the GPL-3.0 license is set to Block, but the MIT license is set to Allow, a PR that adds the package is blocked.

Add an exemption for the package if subsequent review indicates the dependency is safe for use under one of the detected licenses.

Exempt dependencies

You can create exemptions to allow specific dependencies. This feature is useful for internal dependencies not accessed by users or external APIs.

To exempt a package:

  1. Sign in to Semgrep AppSec Platform and navigate to Supply Chain > Dependencies.
  2. Search for the dependencies you want to exempt.
  3. Click the dependency's icon to exempt it. Upon clicking on the icon, its permission changes. Click again on the icon to remove the exemption if necessary.

Exempted dependencies appear in the Supply Chain > Settings tab.

Dependency exemptions are currently version-specific. Each version used must be exempted individually.

Create custom dependency exceptions

Custom dependency exceptions allow you to manually allowlist a dependency to prevent Semgrep from blocking a pull request or merge request due to licensing issues.

For example, if bitwarden/cli@2023.9.0, which has a GPL-3.0 license, is on the allowlist, you must add an additional exception when upgrading to bitwarden/cli@2023.9.1. However, the dependency to which you're upgrading isn't yet listed in Dependencies; they appear only after you've scanned your project. Because the dependency isn't listed, you must manually create the exception. This ensures that the exclusion won't fail when you upgrade to bitwarden/cli@2023.9.1 and scan your project again with Semgrep Supply Chain.

To set a custom dependency exception:

  1. Sign in to Semgrep AppSec Platform and navigate to Supply Chain > License configuration.
  2. In Custom dependency exceptions, click Add custom exception.
  3. In the Add custom dependency exception window that appears:
    1. Select the Ecosystem where this dependency applies.
    2. Provide the Package name, for example, bitwarden/cli.
    3. Provide the Version information for the package. The major, minor, and patch version information is required; pre-release and build metadata are optional.
    4. Click Add to save and add the exception.

Semgrep AppSec Platform's Add custom exception window


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.