|
| 1 | +--- |
| 2 | +title: Configuring open source license policies |
| 3 | +shortTitle: Configure license policies |
| 4 | +intro: Create and enforce open source license policies to control which licenses your dependencies are allowed to use. |
| 5 | +product: 'Organizations owned by a {% data variables.product.prodname_enterprise %} account with {% data variables.product.prodname_GH_code_security %} enabled' |
| 6 | +versions: |
| 7 | + feature: open-source-license-compliance |
| 8 | +contentType: how-tos |
| 9 | +category: |
| 10 | + - Secure your dependencies |
| 11 | +redirect_from: |
| 12 | + - /early-access/code-security/supply-chain-security/enforcing-license-policy-across-an-enterprise |
| 13 | +--- |
| 14 | + |
| 15 | +{% data reusables.code-security.open-source-license-compliance-public-preview-note %} |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | + |
| 19 | +Before you configure license policies, ensure that: |
| 20 | + |
| 21 | +* Your organization has {% data variables.product.prodname_GH_code_security %} |
| 22 | +* You have access to manage enterprise or organization policy and rulesets |
| 23 | +* Dependency graph is enabled for repositories you want to evaluate |
| 24 | + |
| 25 | +## About license compliance |
| 26 | + |
| 27 | +Open source license compliance lets you define a policy that specifies which licenses your dependencies are allowed to use. |
| 28 | + |
| 29 | +When the policy is enforced with rulesets, {% data variables.product.github %} evaluates pull requests that change package manifests, checks direct and transitive dependencies, and compares detected licenses to your policy. Pull requests with noncompliant dependencies remain blocked until violations are resolved. |
| 30 | + |
| 31 | +Violations are typically resolved by: |
| 32 | + |
| 33 | +* Updating the pull request to use compliant dependencies |
| 34 | +* Approving an exception for a package or license |
| 35 | +* Updating policy to allow a license where appropriate |
| 36 | + |
| 37 | +## Create a license policy |
| 38 | + |
| 39 | +{% data reusables.enterprise-accounts.access-enterprise %} |
| 40 | +{% data reusables.enterprise-accounts.policies-tab %} |
| 41 | +1. In the sidebar, click **License compliance**. |
| 42 | +1. Click **Default policy**. |
| 43 | +1. On the **Edit license policy** page, click **Add licenses** and choose **Select from list**. |
| 44 | +1. From the license picker, select the licenses you want to permit. The licenses in this list are categorized based on their general risk level for use in corporate environments, but this is purely informational and does not constitute legal advice. **Always check with your organization's legal team for policy guidance**. |
| 45 | +1. Save your changes. |
| 46 | + |
| 47 | +Alternately, if you have an existing license policy from another tool, you can import it as a list of SPDX expressions. |
| 48 | +1. On the **Edit license policy** page, click **Add licenses** and choose **Manual input**. |
| 49 | +1. Enter one or more SPDX license identifiers, each on a new line. |
| 50 | +1. Save your changes. |
| 51 | + |
| 52 | +The licenses you add form your baseline policy. You can later add package-level exceptions when handling alerts. |
| 53 | + |
| 54 | +## Configure access for Enterprise Open Source License Managers |
| 55 | + |
| 56 | +{% data reusables.enterprise-accounts.access-enterprise %} |
| 57 | +{% data reusables.enterprise-accounts.people-tab %} |
| 58 | +1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**. |
| 59 | +1. Click **Role assignments**. |
| 60 | +1. Click **Assign role**. |
| 61 | +1. Select the **Enterprise Open Source License Manager** role. |
| 62 | +1. Choose a user or team to assign the role to. |
| 63 | +1. Click **Assign role**. |
| 64 | + |
| 65 | +Assigning this role also subscribes reviewers to request notifications so they can respond to dismissal requests quickly. |
| 66 | + |
| 67 | +## Optionally use custom properties to control rollout per repository |
| 68 | + |
| 69 | +If you want gradual rollout, use a repository custom property to control whether each repository is in inactive, evaluate, or active enforcement mode. |
| 70 | + |
| 71 | +{% data reusables.organizations.navigate-to-org %} |
| 72 | +{% data reusables.organizations.org_settings %} |
| 73 | +{% data reusables.organizations.access-custom-properties %} |
| 74 | +1. Create a single-select repository custom property, for example `open_source_license_compliance`. |
| 75 | +1. Add values for `inactive`, `evaluate`, and `active`. |
| 76 | +1. Set the default value to `inactive`. |
| 77 | +1. Decide who can change the property value. |
| 78 | +1. Assign property values to repositories based on their rollout stage. |
| 79 | + |
| 80 | +## Enforce policy in pull requests with rulesets |
| 81 | + |
| 82 | +We suggest making two rulesets, one for **Evaluate** mode and one for **Active** mode. If you created custom properties to control the rollout, you can target those properties here. |
| 83 | + |
| 84 | +1. Go to the rulesets page for the scope where you want enforcement. |
| 85 | +1. Create a branch ruleset. |
| 86 | +1. Under the ruleset name, set **Enforcement status**: |
| 87 | + |
| 88 | + * For your first ruleset, select **Evaluate**. |
| 89 | + * For your second ruleset, select **Active**. |
| 90 | +1. Choose how to target repositories: |
| 91 | + |
| 92 | + * If you use custom properties, target by `open_source_license_compliance`: |
| 93 | + * For the evaluate-mode ruleset, target repositories where the property value is `evaluate`. |
| 94 | + * For the active-mode ruleset, target repositories where the property value is `active`. |
| 95 | + * If you do not use custom properties, target repositories by repository pattern or explicit repository selection. |
| 96 | +1. Enable **Require license compliance results before merging**. |
| 97 | +1. Save your changes. |
| 98 | + |
| 99 | +For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) and [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#targeting-repositories-by-properties-in-your-organization). |
| 100 | + |
| 101 | +## Test policy enforcement |
| 102 | + |
| 103 | +1. In a targeted repository, open a pull request that changes dependency manifests. |
| 104 | +1. Confirm that pull request annotations show license compliance results. |
| 105 | +1. If a dependency violates policy, review the generated alert and request dismissal if an exception is needed. |
| 106 | + |
| 107 | +When violations are unresolved, the pull request remains blocked. |
| 108 | + |
| 109 | +## Review and handle exception requests |
| 110 | + |
| 111 | +1. As an Enterprise Open Source License Manager, open the list of pending license alert requests in your enterprise security views. |
| 112 | +1. Review each request and decide whether to deny or approve it. |
| 113 | +1. If you approve, choose whether the exception should apply to a package, a license, or a package pattern. |
| 114 | +1. Choose whether to apply the exception at repository scope or enterprise scope. |
| 115 | +1. Save the exception. |
| 116 | + |
| 117 | +After a request is approved, the alert is closed and the pull request is unblocked, as long as no other required checks are failing. |
| 118 | + |
| 119 | +## Review effective policy for a repository |
| 120 | + |
| 121 | +{% data reusables.repositories.navigate-to-repo %} |
| 122 | +{% data reusables.repositories.sidebar-settings %} |
| 123 | +1. In the sidebar, under "Security", click **License policy**. |
| 124 | +1. Review the combined policy and exception set in effect for that repository. |
| 125 | +1. Update enterprise-level or repository-level policy as needed. |
| 126 | + |
| 127 | +## Further reading |
| 128 | + |
| 129 | +* [AUTOTITLE](/code-security/concepts/supply-chain-security/open-source-license-compliance). |
0 commit comments