ResourcesMore Than Filled IconBlogMore Than Filled IconEnsure open source license compliance

Ensure open source license compliance

Why check for open source license compliance

It's a common practice these days to use open source packages when building software applications. Open source packages are convenient: there are options out there for pretty much anything you need.

If you're building commercial software products, it's important to remember the compliance requirements that come with these packages. How the open source packages are licensed dictates how you can use them.

Being non-compliant exposes your organization to legal risks, and could potentially result in a loss of trust from the open source community. Worse, you may have to spend engineering hours dealing with the complications from the fallout (such as untangling your codebase, etc.).

Some organizations have a formal approval process in place to review and audit open source packages before they can be used by developers. This process involves a legal review, an architectural review, a form to fill out, an issue tracker ticket to create, and so on.

For others, this process may be too heavy and slow.

Using Datree to scan for potential OSS license issues

In an ideal world, at any given time, you know exactly where all the open source packages are used in your codebase - and importantly, if how you use these packages are compliant with how they're licensed.

At Datree we've been working on automating adoption of all kinds of policies - including compliance-related ones. Our product comes with rules to help you achieve SOC 2 compliance, for example.

We're happy to have released new rules and features to help your team be compliant with open source licenses:

1) Two new rules you can add to your Datree checks

- Prevent Copyleft license dependencies

- Prevent unlicensed dependencies

Datree-Demo Rules Management
Two new rules for OSS licensing in Datree's Rules Management

Update package.json
Datree's checks on GitHub checking if OSS dependencies used are compliant with how they're licensed

2) New suggestion in the Report on preventing the usage of unlicensed OSS dependencies

The report now shows dependencies that aren't following the above rules, allowing you to monitor any deviation from your organization's OSS licensing policies.

Datree-Demo Suggestions Report
Datree's Report showing a suggestion to enable the OSS license compliance rules

3) Catalog now includes data on the license type of packages in your codebase.

The data is exportable and can be used for OSS license audit purposes.

Datree-Demo Catalog
Datree's Catalog showing packages with their license types

If you're interested in getting a live walkthrough - and assess your codebase for "rogue" open source packages in the process - we'd love to talk to you! Just book a time that's most convenient for you here.

Eyar Zilberman
Chief Product Officer & Co-founder

Prevent Kubernetes Misconfigurations NOW!

Other resources
No items found.