Configure Forbidden Licenses¶
BoostSecurity enables alerts to be raised when third-party packages included in your projects use licenses forbidden in your organization. The license check leverages your projects' SBOM inventories to inspect the packages' licenses and raise license alerts if a defined policy is violated.
Prerequisites¶
In order to enable the license alerts, the following are required:
- SBOM inventories must be generated. Refer to the SBOM section for how to enable SBOM.
- The BoostSecurity OSS License scanner must be enabled.
- Policies defining the forbidden licenses, as well as actions to take, must be created.
How to provision the BoostSecurity OSS License scanner¶
The BoostSecurity OSS License scanner inspects SBOMs (Software Bill of Materials) to identify the licenses of software dependencies. Leveraging this scanner with the policy engine will enable the prevention of forbidden licenses from being released with production software. This scanner can only run on the default branch.
To enable the BoostSecurity OSS License scanner:
- Go to the Scanner Coverage page.
- Find the repositories that coverage should be enabled for.
- Select the checkboxes next to those repositories.
- Click on the
Provisioning
button on the top right of the screen. - Click on the checkbox for the row labeled
BoostSecurity OSS License
. - Click on the
Complete
button on the bottom right of the modal.
How to Create License Check Policies¶
Policies can be created to define the actions to take when forbidden licenses are encountered. For example, the policy can define that a Slack message is sent as an action. The licenses considered forbidden for your enterprise are also configured as part of the policy.
To create a policy for forbidden licenses, follow these instructions:
- Navigate to the Policy page.
-
Click on the New Policy button located at the top-right corner of the page.
-
Add a Policy name, e.g., License, and a description.
- Select an action for the rule if you're not using the default action (Do not notify developers), which includes:
- Fail the check
- Add a comment to the PR
- Send a notification
- Create a ticket
- Drop
-
Add rules to the policy by clicking the Add Rule button.
-
Configure the Scanner:
- To select the specific license scanner, search for the "use-of-forbidden-license" tag by clicking on the Rule Tags or by using the Scanner, Group, and Rule Name filters.
- Select the BoostSecurity OSS License scanner.
- Select the licenses from the list of available unauthorized licenses and click "Done" to save.
-
Click on Save to save the policy and the configured scanner.
FAQs¶
How to update the OSS License Scanner Forbidden Licenses List¶
To update the list of forbidden licenses in your organization:
- Navigate to the Policy page and click on the saved policy.
- Click on the "Scanners" tab.
-
Click the edit icon as shown in the image below
-
Select additional unauthorized licenses to add and click the "Done" button.
-
Finally, click the Save button to update the list of forbidden licenses on the policy.