The timeline of events for a license compliance alert, showing a non-compliant license expression and subsequent approvals

Enterprises can now manage their dependencies’ licenses at scale with sophisticated, ruleset-based checks that enforce a centralized policy. Open source license compliance is in public preview, letting you block noncompliant dependencies before they reach production.

How it works

Open source license compliance expands on the capabilities of the dependency review action by introducing an enterprise-wide license policy. The policy is activated by targeting repositories with a ruleset that uses a new “Require license compliance check results before merging” condition, similar to the existing code scanning conditions. When developers open pull requests that add or modify dependencies, license checks automatically run against your policy to ensure each new or changed dependency has an acceptable license. The feature will annotate the pull request for any noncompliant dependencies. These annotations must be addressed by either removing or replacing the dependency, amending the license policy, or creating package exceptions.

Open source license compliance introduces a new predefined enterprise role, Enterprise Open Source License Policy Manager. Assign this role to individuals or teams who should review and approve closure requests. Policy managers receive email notifications about pending requests and can review them from the enterprise console.

How to try it

License compliance is available today in public preview for all GitHub Enterprise Cloud customers with GitHub Advanced Security Code Security licenses. For detailed setup instructions, see About open source license compliance.

Join the discussion within GitHub Community.