OSS license management

Prisma Cloud can detect licenses for package dependencies in code repositories. It can scan code repos hosted by service providers (currently GitHub only). It can also scan build folders constructed by CI build jobs.
A license policy defines the criticality of a license. For example, you might specify consider any package with a GPL license as a critical issue. Depending on your license policy, Prisma Cloud can raise alerts and block builds.

Create a license compliance policy

Compliance policies consist of one or more rules.
Prisma Cloud ships with a default rule named
Default - alert all components
. This rule ships with alerts disabled, so the policy is effectively disabled. As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. Set a threshold, and declare licenses you consider critical. Rule order is important, so be sure your custom rule sits above the default rule.
  1. Open Console.
  2. Go to
    Defend > Compliance > Code repositories
    .
  3. Choose the target of your policy.
    If your policy targets GitHub, go to the
    Repositories
    tab.
    If your policy targets your CI pipeline, go to the
    CI
    tab.
  4. Click
    Add rule
    .
  5. Specify a rule name.
  6. In
    Scope
    , select one or more collections to apply your policy to specific repos.
    Use the default
    All
    collection to apply it to all repos.
  7. Set the rule thresholds.
  8. Specify the severity of each license of interest.
    Each field offers SPDX license identifiers as suggestions. Pattern-matching expressions are supported (e.g., GPL-*).

Scan with twistcli

To scan a folder with twistcli, use the following command:
twistcli coderepo scan [FOLDER_PATH] --details
Code copied to clipboard
Unable to copy due to lack of browser support.
Contents of the repo are assessed according to the policy in
Defend > Compliance > Code repositories > CI
. Scan results are published in
Monitor > Compliance > Code repositories > CI
For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy.

Review scan results.

Go to
Monitor > Compliance > Code repositories
. Each row in the results table has a meter which shows the number of compliance issues at each severity level. Click on a row to drill into the details of the scan report.

Recommended For You