> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# License compliance

<Info>
  **PREREQUISITE**

  At least one repository that scans for dependencies through Semgrep Supply Chain. See [Scan third-party dependencies](/semgrep-supply-chain/set-up-and-configure).
</Info>

Semgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license.

Whenever Semgrep determines that a dependency or version with a disallowed package has been added, it can notify you of this in a pull request or merge request comment.

## Language support

Licenses are detected based on the **package manager** used. See [Supported languages](/supported-languages/#semgrep-supply-chain) for a list of supported package managers.

## Types of license policies

Licenses in Semgrep can be assigned any of the following policies:

| <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip> | Description                                                                                                                                                                                                                                                                                        |
| :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Allow**                                                                                                                                                                                                                                                                                                                                                                                                                          | Packages with licenses assigned this type of permission are allowed for use in the codebase.                                                                                                                                                                                                       |
| **Comment**                                                                                                                                                                                                                                                                                                                                                                                                                        | Packages with licenses assigned this type of permission are allowed for use in the codebase. A comment is added to the PR or MR introducing the package into the codebase. This permission can be useful when you want to remind or warn developers to use certain licenses for internal use only. |
| **Block**                                                                                                                                                                                                                                                                                                                                                                                                                          | Packages with licenses assigned this type of permission are <strong>not</strong> allowed into the codebase. A comment is added to the PR or MR introducing the package into the codebase and the diff-aware scan exits with code 1.                                                                |

By default, all licenses are set to **Allow**. You must configure your policies to block or leave comments on licenses.

License compliance only blocks or comments when new licenses are introduced in a PR or MR, by dependency addition or version change. However, you can see the license status of current dependencies in the Semgrep AppSec Platform under **[Supply Chain](https://semgrep.dev/orgs/-/supply-chain)** > **Dependencies**, using the [search filters](/semgrep-supply-chain/dependency-search#search-filters).

## View license policy

To view a package's license policy:

<Steps>
  <Step>
    [Sign in to Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Navigate to **[Rules & Policies > Policies > Supply Chain > License configuration](https://semgrep.dev/orgs/-/policies/supply-chain#license-config)**.
  </Step>
</Steps>

## Change the license policy

To change the policies of packages based on the license:

<Steps>
  <Step>
    Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login), and navigate to **[Rules & Policies > Policies > Supply Chain > License configuration](https://semgrep.dev/orgs/-/policies/supply-chain#license-config)**.
  </Step>

  <Step>
    Browse the available licenses within the **License configuration** section.
  </Step>

  <Step>
    Click the permission (**Allow**, **Comment**, or **Block**) you want to set the license to.
  </Step>

  <Step>
    **Optional**: Block entire categories of licenses by clicking on the **Set all to** drop-down box next to the license category.
  </Step>
</Steps>

## License information

License information is often stored in the package's repository alongside the source code. You can generally find this information in:

* A license file, such as `LICENSE` or `LICENSE.txt`
* The manifest file, such as the `pyproject.toml` or `package.json`, which typically specifies a `license` field

Semgrep uses [deps.dev](https://deps.dev/) as the primary source for license data, which is then displayed in Semgrep AppSec Platform.

[deps.dev](https://deps.dev/) aggregates license metadata from package registry APIs, such as PyPI and npm. This metadata is provided by package maintainers through their manifest files and may be missing, incomplete, or inaccurate. If the license data displayed in Semgrep AppSec Platform for a particular package is missing or doesn't show the expected value, the data provided by the package maintainer to populate the package registry API is likely incomplete or incorrect.

## License categories

Semgrep Supply Chain can identify the following licenses and license categories.

### Popular Weak-copyleft licenses

Software using packages with weak copyleft licenses may have to maintain the same license as the package. To determine if this applies to your project, consult your legal department. Developers typically choose these packages based on individual preferences, so usage should be monitored to ensure license compliance.

* LGPL-3.0
* LGPL-2.1
* MPL-2.0
* EPL-2.0
* OSL-3.0
* EUPL-1.2

### Popular Copyleft licenses

Software using packages with copyleft licenses **must** maintain the same license as the packages. To prevent license complications, developers often avoid packages using these licenses.

* GPL-3.0
* GPL-2.0
* AGPL-3.0
* AGPL-2.0
* CC-BY-SA-4.0
* APSL

### Popular Permissive licenses

Packages with permissive licenses have minimal restrictions on how they can be used or modified. This makes permissive licenses popular among developers for their flexibility, ease of use, and lack of legal concerns.

* MIT
* Apache-2.0
* BSD-3
* BSD-2
* BSD-3-Clause
* BSD-2-Clause
* CC\_BY-4.0
* WTFPL
* MS-PL
* Unlicensed

### Other licenses

Packages tagged as **Other** are those with licenses that aren't yet categorized by Semgrep Supply Chain or aren't included in the categories of weak-copyleft licenses, copyleft licenses, or permissive licenses. This category includes all other standard Software Package Data Exchange (SPDX) licenses.

The **Other** license category may include packages with copyleft or permissive licenses. Consult your legal department before using packages in this category.

### Multiple license types

Some packages utilize multiple licenses. Semgrep treats packages with multiple licenses as if all licenses apply and behaves according to the strictest policy. For example, if a package allows use under the MIT license or the GPL-3.0 license, and the GPL-3.0 license is set to Block, but the MIT license is set to Allow, a pull request that adds the package is blocked.

You can add an [exemption for the package](#create-exemptions) if subsequent review indicates the dependency is safe for use under any of the detected licenses.

## Create exemptions

You can create exemptions to **allow** specific dependencies with licenses that are typically blocked. This feature is useful for internal dependencies not accessed by users or external APIs.

<Tooltip tip="Publicly available code used as part of your application. Dependencies are listed in registries such as npm for JavaScript and PyPI for Python." cta="See full definition." href="/semgrep-supply-chain/glossary#dependency">Dependency</Tooltip> exemptions are currently version-specific, so each version used must be exempted individually.

To exempt a package:

<Steps>
  <Step>
    Sign in to Semgrep AppSec Platform and navigate to **Supply Chain > Dependencies**.
  </Step>

  <Step>
    Search for the dependencies you want to exempt.
  </Step>

  <Step>
    Click the dependency's <Icon icon="list-check" iconType="solid" /> icon to exempt it. Click the icon again to remove the exemption if necessary.
  </Step>
</Steps>

Exempted dependencies appear in the **Supply Chain > Settings** tab.

### Create custom dependency exceptions

Custom dependency exceptions allow you to manually list the dependencies that should NOT prevent Semgrep from blocking a pull request or merge request due to licensing issues.

For example, if `bitwarden/cli@2023.9.0`, which has a GPL-3.0 license, is on the allowlist, you must add an additional exception when upgrading to `bitwarden/cli@2023.9.1`. However, the dependency to which you're upgrading isn't yet listed in **Dependencies**; they appear only **after** you've scanned your project. Because the dependency isn't listed, you must manually create the exception. This ensures that the exclusion won't fail when you upgrade to `bitwarden/cli@2023.9.1` and scan your project again with Semgrep Supply Chain.

To set a custom dependency exception:

<Steps>
  <Step>
    Sign in to Semgrep AppSec Platform and navigate to **Supply Chain > License configuration**.
  </Step>

  <Step>
    In **Custom dependency exceptions**, click **Add custom exception**.
  </Step>

  <Step>
    In the **Add custom dependency exception** window that appears:

    i. Select the **Ecosystem** where this dependency applies.

    ii. Provide the **Package name**, for example, `bitwarden/cli`.

    iii. Provide the **Version** information for the package. The major, minor, and patch version information is required; pre-release and build metadata are optional.

    iv. Click **Add** to save and add the exception.
  </Step>
</Steps>
