Skip to content

Commit 3b1ee36

Browse files
guntripCopilotahpooklecoursen
authored
Open Source License Compliance [Public Preview] (#61903)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Eric Sorenson <ahpook@github.com> Co-authored-by: Laura Coursen <lecoursen@github.com>
1 parent f09a8a6 commit 3b1ee36

7 files changed

Lines changed: 197 additions & 1 deletion

File tree

content/code-security/concepts/supply-chain-security/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ redirect_from:
1010
- /code-security/supply-chain-security/understanding-your-software-supply-chain
1111
children:
1212
- supply-chain-security
13+
- open-source-license-compliance
1314
- best-practices-for-maintaining-dependencies
1415
- dependency-graph
1516
- dependency-graph-data
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
---
2+
title: About open source license compliance
3+
shortTitle: Open Source license compliance
4+
intro: Define and enforce license policy for dependencies in your repositories with open source license compliance.
5+
product: 'Organizations owned by an enterprise account with {% data variables.product.prodname_GH_code_security %} enabled'
6+
versions:
7+
feature: open-source-license-compliance
8+
contentType: concepts
9+
category:
10+
- Secure your dependencies
11+
---
12+
13+
{% data reusables.code-security.open-source-license-compliance-public-preview-note %}
14+
15+
## Overview
16+
17+
Open source license compliance helps you **track dependency licenses** and **enforce policy** for the open source software in your supply chain. You can use license compliance to reduce legal and operational risk, catching nonconforming dependencies **before** changes are merged.
18+
19+
## How license policy works
20+
21+
You can define an enterprise or organization policy that controls which licenses dependencies are allowed to use.
22+
23+
You can specify licenses from either a built-in list or, if a license is not listed, by manually adding a SPDX license identifier.
24+
25+
Your policy is applied at the enterprise, organization, and repository scope. You can also add package or license exceptions when an **Enterprise Open Source License Manager** approves requests.
26+
27+
License evaluation uses dependency data from your repositories, including transitive dependencies detected in the dependency graph.
28+
29+
## How pull request enforcement works
30+
31+
Open source license compliance is enforced through branch rulesets. When a pull request changes package manifests, {% data variables.product.github %} compares dependency changes between the base and pull request branches, evaluates detected licenses against policy, and reports violations.
32+
33+
If there is a ruleset in **Active** mode which uses the "Requires license compliance results before merging" condition, pull requests that introduce noncompliant dependencies are blocked until violations are resolved. An **Evaluate** mode ruleset with that condition will run license checks and annotate the pull request, but not block merges.
34+
35+
Additionally, a [branch protection rule](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) that requires comment resolution before merging will track annotations from license checks, so even alerts generated by **Evaluate** rulesets will be subject to the protection.
36+
37+
## Where results appear
38+
39+
If a dependency's license isn't in your policy, findings will appear in pull request annotations. The annotations do not automatically generate an exception request, because the developer could decide to modify their code to avoid the noncompliant dependency. If they do want to use the dependency, {% data variables.product.github %} will prompt the developer for more information, then send the closure request to the Enterprise Open Source License Managers, who have permission to modify the policy.
40+
41+
For Enterprise Open Source License Managers, pending exception requests are available in enterprise security views and sent as email notifications.
42+
43+
## Scope and governance model
44+
45+
You can create policy at enterprise scope for a common baseline, then layer repository-specific exceptions where needed.
46+
47+
For large enterprises, a common pattern is:
48+
49+
* Define broad policy centrally
50+
* Assign the Enterprise Open Source License Manager role to policy reviewers
51+
* Use a repository custom property to classify repositories as inactive, evaluate, or active
52+
* Use rulesets that target the custom property values to control enforcement mode by repository
53+
54+
Developers with write access can view the effective policy and exceptions for a repository from the repository's license policy settings page.
55+
56+
## Next steps
57+
58+
To get started, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies).
59+
60+
For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).

content/code-security/how-tos/secure-your-supply-chain/index.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,3 @@ children:
1717
- secure-your-dependencies
1818
- manage-your-dependency-security
1919
- establish-provenance-and-integrity
20-
---
Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
---
2+
title: Configuring open source license policies
3+
shortTitle: Configure license policies
4+
intro: Create and enforce open source license policies to control which licenses your dependencies are allowed to use.
5+
product: 'Organizations owned by a {% data variables.product.prodname_enterprise %} account with {% data variables.product.prodname_GH_code_security %} enabled'
6+
versions:
7+
feature: open-source-license-compliance
8+
contentType: how-tos
9+
category:
10+
- Secure your dependencies
11+
redirect_from:
12+
- /early-access/code-security/supply-chain-security/enforcing-license-policy-across-an-enterprise
13+
---
14+
15+
{% data reusables.code-security.open-source-license-compliance-public-preview-note %}
16+
17+
## Prerequisites
18+
19+
Before you configure license policies, ensure that:
20+
21+
* Your organization has {% data variables.product.prodname_GH_code_security %}
22+
* You have access to manage enterprise or organization policy and rulesets
23+
* Dependency graph is enabled for repositories you want to evaluate
24+
25+
## About license compliance
26+
27+
Open source license compliance lets you define a policy that specifies which licenses your dependencies are allowed to use.
28+
29+
When the policy is enforced with rulesets, {% data variables.product.github %} evaluates pull requests that change package manifests, checks direct and transitive dependencies, and compares detected licenses to your policy. Pull requests with noncompliant dependencies remain blocked until violations are resolved.
30+
31+
Violations are typically resolved by:
32+
33+
* Updating the pull request to use compliant dependencies
34+
* Approving an exception for a package or license
35+
* Updating policy to allow a license where appropriate
36+
37+
## Create a license policy
38+
39+
{% data reusables.enterprise-accounts.access-enterprise %}
40+
{% data reusables.enterprise-accounts.policies-tab %}
41+
1. In the sidebar, click **License compliance**.
42+
1. Click **Default policy**.
43+
1. On the **Edit license policy** page, click **Add licenses** and choose **Select from list**.
44+
1. From the license picker, select the licenses you want to permit. The licenses in this list are categorized based on their general risk level for use in corporate environments, but this is purely informational and does not constitute legal advice. **Always check with your organization's legal team for policy guidance**.
45+
1. Save your changes.
46+
47+
Alternately, if you have an existing license policy from another tool, you can import it as a list of SPDX expressions.
48+
1. On the **Edit license policy** page, click **Add licenses** and choose **Manual input**.
49+
1. Enter one or more SPDX license identifiers, each on a new line.
50+
1. Save your changes.
51+
52+
The licenses you add form your baseline policy. You can later add package-level exceptions when handling alerts.
53+
54+
## Configure access for Enterprise Open Source License Managers
55+
56+
{% data reusables.enterprise-accounts.access-enterprise %}
57+
{% data reusables.enterprise-accounts.people-tab %}
58+
1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**.
59+
1. Click **Role assignments**.
60+
1. Click **Assign role**.
61+
1. Select the **Enterprise Open Source License Manager** role.
62+
1. Choose a user or team to assign the role to.
63+
1. Click **Assign role**.
64+
65+
Assigning this role also subscribes reviewers to request notifications so they can respond to dismissal requests quickly.
66+
67+
## Optionally use custom properties to control rollout per repository
68+
69+
If you want gradual rollout, use a repository custom property to control whether each repository is in inactive, evaluate, or active enforcement mode.
70+
71+
{% data reusables.organizations.navigate-to-org %}
72+
{% data reusables.organizations.org_settings %}
73+
{% data reusables.organizations.access-custom-properties %}
74+
1. Create a single-select repository custom property, for example `open_source_license_compliance`.
75+
1. Add values for `inactive`, `evaluate`, and `active`.
76+
1. Set the default value to `inactive`.
77+
1. Decide who can change the property value.
78+
1. Assign property values to repositories based on their rollout stage.
79+
80+
## Enforce policy in pull requests with rulesets
81+
82+
We suggest making two rulesets, one for **Evaluate** mode and one for **Active** mode. If you created custom properties to control the rollout, you can target those properties here.
83+
84+
1. Go to the rulesets page for the scope where you want enforcement.
85+
1. Create a branch ruleset.
86+
1. Under the ruleset name, set **Enforcement status**:
87+
88+
* For your first ruleset, select **Evaluate**.
89+
* For your second ruleset, select **Active**.
90+
1. Choose how to target repositories:
91+
92+
* If you use custom properties, target by `open_source_license_compliance`:
93+
* For the evaluate-mode ruleset, target repositories where the property value is `evaluate`.
94+
* For the active-mode ruleset, target repositories where the property value is `active`.
95+
* If you do not use custom properties, target repositories by repository pattern or explicit repository selection.
96+
1. Enable **Require license compliance results before merging**.
97+
1. Save your changes.
98+
99+
For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) and [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#targeting-repositories-by-properties-in-your-organization).
100+
101+
## Test policy enforcement
102+
103+
1. In a targeted repository, open a pull request that changes dependency manifests.
104+
1. Confirm that pull request annotations show license compliance results.
105+
1. If a dependency violates policy, review the generated alert and request dismissal if an exception is needed.
106+
107+
When violations are unresolved, the pull request remains blocked.
108+
109+
## Review and handle exception requests
110+
111+
1. As an Enterprise Open Source License Manager, open the list of pending license alert requests in your enterprise security views.
112+
1. Review each request and decide whether to deny or approve it.
113+
1. If you approve, choose whether the exception should apply to a package, a license, or a package pattern.
114+
1. Choose whether to apply the exception at repository scope or enterprise scope.
115+
1. Save the exception.
116+
117+
After a request is approved, the alert is closed and the pull request is unblocked, as long as no other required checks are failing.
118+
119+
## Review effective policy for a repository
120+
121+
{% data reusables.repositories.navigate-to-repo %}
122+
{% data reusables.repositories.sidebar-settings %}
123+
1. In the sidebar, under "Security", click **License policy**.
124+
1. Review the combined policy and exception set in effect for that repository.
125+
1. Update enterprise-level or repository-level policy as needed.
126+
127+
## Further reading
128+
129+
* [AUTOTITLE](/code-security/concepts/supply-chain-security/open-source-license-compliance).

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ versions:
88
ghec: '*'
99
contentType: how-tos
1010
children:
11+
- /configure-license-policies
1112
- /auto-triage-dependabot-alerts
1213
- /prioritize-with-preset-rules
1314
- /customizing-dependabot-security-prs
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# Open source license compliance (public preview)
2+
versions:
3+
fpt: '*'
4+
ghec: '*'
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
> [!NOTE]
2+
> Open source license compliance is in {% data variables.release-phases.public_preview %} and subject to change.

0 commit comments

Comments
 (0)