HomeBlogSupport
SignupChangelogGo To App

License Policy

Suggest Edits

License Policies allow you to define which package licenses are allowed within your organization. You can specify one or more licenses to exclude and an action to perform when a specified license is detected.

This is useful when you need to flag or optionally automatically quarantine a package based on the associated license.

Supported Package formats

Cloudsmith will automatically match licenses for the following package formats:

Format
License Support
Alpine
Cargo
Cocoapods
Composer
Conan
Conda
CRAN
Dart
Debian
Docker
Go
Helm
Hex
LuaRocks
Maven
npm
NuGet
P2
Python
RPM
Ruby (Beta)
Terraform
Vagrant

View License Policies

To manage the license policies in your organisation, go to your organization's “Settings” page and select "License Policies" from the left-hand menu.

🚧

During the beta phase, you can only create and delete license policies. Deactivating a policy is not supported at this time, resulting in any policy created being active until deleted.

1240

View License Policies

Create License Policy

To add a new license to the deny list, click “Create License Policy”.

1239

Create License Policy Button

You are then presented with the “Create a License Policy” form:

1295

Create License Policy Form

Here you can define the following:

NameA display name for the License Policy.
DescriptionA description of the License Policy.
Allow unknown or absent licensesSet to “Yes” to ignore packages with missing or unknown licenses. Set to “No” to flag and quarantine packages with a missing or unknown license.

Note: SPDX License List is used as the license source. If a package has a license that is not listed in the SPDX License List, this will be treated as an unknown license.
Quarantine on violationIf set to "Yes", any package that violates this license policy is flagged and automatically quarantined.

If set to "No", packages that violate this license policy are flagged, but not automatically quarantined.
Select licenses to denySelect the licenses to be denied as part of this policy. The licenses listed in this table are sourced from the SPDX License List.

Once saved, the policy is enabled across your organsization and the policy compliance check will be performed automatically during the package synchronisation process. This process occurs when a package is uploaded, moved, copied, or cached (such as in upstream caching).

You can also manually trigger a synchronisation of a package using the resync functionality. See Package Resynchronization for instructions on how to do this.

Policy Violation Notification

When a package violates a license policy and is quarantined, a warning is displayed within the UI:

1129

License Violation Warning

Clicking the link within this warning, displays a custom search page, displaying all packages with policy violations:

864

Policy Violation List

📘

You can view this violation list at any time using our package search (link) feature and setting the filter to policy_violated:true for all policy violations, or license_policy_violated:true to only return license policy violations.

Policy Violation Identifiers

Within a repository, packages with policy violations are identified with the Policy Violation and Quarantined icons.

1126

Policy Violation Indicators

Policy ViolationThis package is in violation of policy. Click on the package to view more details.
QuarantinedThis package has been quarantined, downloads will be blocked until the package is released from quarantine.

Reason given: the package was quarantined as a result of a policy violation

Clicking on the package name displays the Package view page, which provides details on the policy that has been violated.

Package Logs

Logs of policy violations and quarantining actions are also displayed within the Package Logs page:

📘

Hover over the “policy violation” text to display additional details on the policy and license violation.

Restore a package that violates a policy

It's important to note that packages cannot be restored from quarantine if they are still in violation of an existing policy which has Quarantine on violation set to "Yes".

To remove a package from quarantine, you have four options:

  • Change the package license to an allowed license via the license compliance section of the package's repository.
  • Apply a manual license override of "ignored" or "purchased" via the license compliance section of the package's repository.
  • Edit the license policy to remove the license from the deny list.
  • Edit the license policy to set Quarantine on violation to "No".

If you change the package license, the package will be resynchronized and automatically undergo the policy check again. If the new license is not on the deny list, the package will no longer be marked as a policy violation and can be manually removed from quarantine.

If you update the policy to remove the license from the deny list or set Quarantine on violation set to "No", the package can be manually removed from quarantine.

See Package Quarantine for instructions on restoring a package from quarantine.

Updated about 2 months ago

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)