License Policies allow you to define which package licenses are allowed within your organization. You can specify one or more licenses to exclude and an action to perform when a specified license is detected.
This is useful when you need to flag or optionally automatically quarantine a package based on the associated license.
Cloudsmith will automatically match licenses for the following package formats:
To manage the license policies in your organisation, go to your organization's “Settings” page and select "License Policies" from the left-hand menu.
During the beta phase, you can only create and delete license policies. Deactivating a policy is not supported at this time, resulting in any policy created being active until deleted.
To add a new license to the deny list, click “Create License Policy”.
You are then presented with the “Create a License Policy” form:
Here you can define the following:
|A display name for the License Policy.
|A description of the License Policy.
|Allow unknown or absent licenses
|Set to “Yes” to ignore packages with missing or unknown licenses. Set to “No” to flag and quarantine packages with a missing or unknown license.
Note: SPDX License List is used as the license source. If a package has a license that is not listed in the SPDX License List, this will be treated as an unknown license.
|Quarantine on violation
|If set to "Yes", any package that violates this license policy is flagged and automatically quarantined.
If set to "No", packages that violate this license policy are flagged, but not automatically quarantined.
|Select licenses to deny
|Select the licenses to be denied as part of this policy. The licenses listed in this table are sourced from the SPDX License List.
Once saved, the policy is enabled across your organsization and the policy compliance check will be performed automatically during the package synchronisation process. This process occurs when a package is uploaded, moved, copied, or cached (such as in upstream caching).
You can also manually trigger a synchronisation of a package using the resync functionality. See Package Resynchronization for instructions on how to do this.
When a package violates a license policy and is quarantined, a warning is displayed within the UI:
Clicking the link within this warning, displays a custom search page, displaying all packages with policy violations:
You can view this violation list at any time using our package search (link) feature and setting the filter to
policy_violated:truefor all policy violations, or
license_policy_violated:trueto only return license policy violations.
Within a repository, packages with policy violations are identified with the Policy Violation and Quarantined icons.
|This package is in violation of policy. Click on the package to view more details.
|This package has been quarantined, downloads will be blocked until the package is released from quarantine.
Reason given: the package was quarantined as a result of a policy violation
Clicking on the package name displays the Package view page, which provides details on the policy that has been violated.
Logs of policy violations and quarantining actions are also displayed within the Package Logs page:
Hover over the “policy violation” text to display additional details on the policy and license violation.
It's important to note that packages cannot be restored from quarantine if they are still in violation of an existing policy which has Quarantine on violation set to "Yes".
To remove a package from quarantine, you have four options:
- Change the package license to an allowed license via the license compliance section of the package's repository.
- Apply a manual license override of "ignored" or "purchased" via the license compliance section of the package's repository.
- Edit the license policy to remove the license from the deny list.
- Edit the license policy to set Quarantine on violation to "No".
If you change the package license, the package will be resynchronized and automatically undergo the policy check again. If the new license is not on the deny list, the package will no longer be marked as a policy violation and can be manually removed from quarantine.
If you update the policy to remove the license from the deny list or set Quarantine on violation set to "No", the package can be manually removed from quarantine.
See Package Quarantine for instructions on restoring a package from quarantine.
Updated about 1 month ago