🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
How-to GuidesDependency ManagementManage License Compliance

Manage License Compliance

Monitor component licenses in your dependencies and ensure they comply with your organization’s licensing policies.

Prerequisites

Before you begin, ensure you have:

  • Access to a DevGuard project and repository
  • A completed dependency scan (SCA scan) or uploaded SBOM
  • Licensing policies defined for your organization (e.g., OSI-approved licenses only)

Open License Risk Management

Navigate to the license compliance interface:

  1. Navigate to Organization → Project → Repository → License Compliance
  2. You’ll see a list of components with problematic licenses
  3. Each row shows the component name, detected license, and remediation status

Understanding License Risks

DevGuard identifies license risks when:

  • No license detected - Component has no declared license
  • Non-OSI approved - License isn’t in the Open Source Initiative approved list
  • Proprietary license - License is proprietary or incompatible with open source projects
  • Undeclared license - License information is missing from package metadata

OSI-approved licenses include Apache 2.0, MIT, GPL 3.0, BSD variants, and many others. See opensource.org/licenses for the complete list.

Filter by Status

View license risks in different states:

  1. Use the State Filter tabs:

    • Open - Unresolved license issues
    • Resolved - Issues you’ve addressed (accepted, overridden, or components removed)

  2. Click the tab to filter the list

Search and Find Licenses

Locate specific components or licenses:

  1. Use the search box to find by:
    • Component name (e.g., “react”)
    • Component version (e.g., “18.2.0”)
    • License type (e.g., “GPL”, “Apache”)

The search matches partial text and is case-insensitive.

Search examples:

- "react" → Finds React-related license issues
- "GPL" → Shows all GPL-licensed components
- "@angular" → Finds Angular framework components

View License Details

Click on a component to see complete license information:

  1. Click a row in the license risks list
  2. View the detected license and component information
  3. See which artifacts contain this component
  4. Check the audit trail of decisions made

Filter by Artifact

Show licenses from specific build artifacts:

  1. Use the Artifact Selector dropdown
  2. Select the artifact (container image, application build)
  3. List updates to show only that artifact’s licenses

Make License Decisions

For each problematic license, choose how to handle it:

Accept the License Risk

If you decide to use the component despite the licensing concerns:

  1. Click on the license risk
  2. Click Accept License Risk
  3. Provide justification (required for compliance audit)
  4. Optionally add a comment
  5. The risk moves to “Resolved” status

Override with Different License

If the detected license is incorrect:

  1. Click on the component/license combination
  2. Select Override License Decision
  3. Choose the correct license from the approved list
  4. Confirm the change
  5. The component is marked as resolved with the correct license
⚠️

Only override licenses if you’re certain the auto-detection was incorrect. Verify against the package’s official repository or LICENSE file.

Remove Component

If you decide not to use this component:

  1. Remove the dependency from your code
  2. Run a new scan to detect the change
  3. The license risk automatically disappears from the open list

License Decision Audit Trail

Track all license decisions for compliance:

  1. Click on any resolved license issue
  2. View the complete history showing:
    • Who made the decision
    • When the decision was made
    • What was decided
    • Justification provided
    • Any comments or notes

This audit trail is essential for compliance frameworks like ISO 27001 and CRA.

Monitor License Distribution

Understand your overall license compliance:

  1. Navigate to Dependencies section
  2. View the License Distribution chart showing:
    • How many components use each license
    • Percentage of OSI-approved vs. non-approved licenses
    • License breakdown by category

Key metrics:

  • OSI-Approved Licenses: Safe for most projects
  • Copyleft Licenses (GPL): Require source code disclosure
  • Proprietary Licenses: Check compatibility with your business model

Compliance Frameworks

License compliance supports these standards:

  • OSI Open Source Definition - Uses official approved licenses list
  • ISO 27001 - Tracks license decisions for audit
  • CRA (Cyber Resilience Act) - Documents license management process
  • SBOM/VEX - Exports include license information

Export License Data

Download license information for reporting:

  1. Click Download SBOM to export components with licenses
  2. The SBOM includes:
    • All component names and versions
    • Detected or overridden licenses
    • License status (approved/non-approved)
  3. Share with legal or compliance teams

Troubleshooting

”No license detected” for a component

  • Component metadata may not include license information
  • Check the package’s official repository
  • Override with the correct license manually
  • Consider contributing the license to the package

Can’t find a specific license in the dropdown

  • DevGuard uses the OSI-approved licenses list
  • If your license isn’t in the list, it’s likely not OSI-approved
  • Consider choosing the closest compatible license
  • Or contact your DevGuard administrator to add it

License decision not saving

  • Verify you have the correct permissions (project admin or owner)
  • Check your internet connection
  • Try again or contact support if the issue persists

Next Steps

Find Vulnerable DependenciesOverride License Decisions