License Analysis in Component Scanning

Overview

Understanding the licenses of third-party components is essential for maintaining compliance and avoiding unintended legal obligations. In particular, restrictive licenses may impose requirements that are incompatible with proprietary software distribution.

To address this, the platform supports license-aware analysis, enabling guardrails to detect and block the use of components with disallowed licenses during dependency or project scans

Scope and Compatibility

The license-based guardrail condition applies consistently across Software Composition Analysis (SCA) and any other component-based risk type where license information exists. It does not affect non-component analyses or guardrails that are unrelated to licensing.

Enabling License Analysis

License data can be explicitly included in the analysis by using the following CLI parameter:

--include-license-analysis

This parameter is available for the deps and scan commands.

When --include-license-analysis is used:

License information is requested from the server for all detected components.
License data is included in the analysis results.
When combined with the -o option, license data is also included in the generated JSON report

PreviousSuspect Deps Detectors NextCI/CD Security

Last updated 24 days ago