Prisma Cloud can detect licenses for package dependencies in code repositories.
It can scan code repos hosted by service providers (currently GitHub only).
It can also scan build folders constructed by CI build jobs.
A license policy defines the criticality of a license.
For example, you might specify consider any package with a GPL license as a critical issue.
Depending on your license policy, Prisma Cloud can raise alerts and block builds.
Create a license compliance policy
Compliance policies consist of one or more rules.
Prisma Cloud ships with a default rule named
Default - alert all components
This rule ships with alerts disabled, so the policy is effectively disabled.
As a starting point, consider cloning this rule, and reconfiguring it for your own purposes.
Set a threshold, and declare licenses you consider critical.
Rule order is important, so be sure your custom rule sits above the default rule.
Defend > Compliance > Code repositories
Choose the target of your policy.
If your policy targets GitHub, go to the
If your policy targets your CI pipeline, go to the
Specify a rule name.
, select one or more collections to apply your policy to specific repos.
Use the default
collection to apply it to all repos.
Set the rule thresholds.
Specify the severity of each license of interest.
Each field offers SPDX license identifiers as suggestions.
Pattern-matching expressions are supported (e.g., GPL-*).
Scan with twistcli
To scan a folder with twistcli, use the following command:
twistcli coderepo scan [FOLDER_PATH] --details
Contents of the repo are assessed according to the policy in
Defend > Compliance > Code repositories > CI
Scan results are published in
Monitor > Compliance > Code repositories > CI
For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy.
Review scan results.
Monitor > Compliance > Code repositories
Each row in the results table has a meter which shows the number of compliance issues at each severity level.
Click on a row to drill into the details of the scan report.