Skip to content

Configure Forbidden Licenses


BoostSecurity enables alerts to be raised when third-party packages in your projects use licenses that your organization forbids. The license check utilizes your projects' SBOM inventories to inspect the packages' licenses and raise license alerts if they violate a defined policy.


Prerequisites


To enable the license alerts, you need to:

  • Generate SBOM inventories.
  • Enable the BoostSecurity scanner.
  • Create policies that define the forbidden licenses and actions to take.

How to Create License Check Policies


Policies can define the actions to take when encountering forbidden licenses. For example, the policy can specify sending a Slack message as an action. You also configure licenses that are considered forbidden for your enterprise as part of the policy.

To create a policy for forbidden licenses, follow these instructions:

  1. Navigate to the Policy page.
  2. Click on the New Policy button located at the top-right corner of the page.

    New Policy

  3. Add a Policy name, e.g., Forbidden License, and a Description.

  4. Select a default action for the rule. Available actions include:

    • Fail the check
    • Add a comment to the PR
    • Send a notification
    • Create a ticket
    • Drop
    • Do not notify developers (If no action is selected, the system defaults to this)
  5. Add rules to the policy by clicking the Add Rule button.

    Add Rules

  6. Click the Add Action button, then select Vulnerability Class as the rule category and set it to the Use of Forbidden License. Also, select a corresponding condition to perform if the rule category is triggered.

    Define Rule

  7. Configure the Scanner:

    • Click on the Scanners tab next.
    • Search for the "use-of-forbidden-license" tag by using the Vulnerability Class ID filter, or "Use of forbidden licenses using the Scanner, Group, and Rule Name filters.
    • Select the BoostSecurity Scanner. Ensure to select only the Use of Forbidden Licenses group and deselect the rest of the grouped rules under the scanner.

    Search License Scanner

    • Select the licenses from the list of available unauthorized licenses and click "Done" to save.

    Select Licenses

  8. Click on Save to save the policy and the configured scanner.

    Save Scanner


FAQs


How to update the BoostSecurity Scanner Forbidden Licenses List


To update the list of forbidden licenses in your organization:

  1. Navigate to the Policy page and click on the saved policy for forbidden licenses.
  2. Click on the "Scanners" tab.
  3. Click the edit icon as shown in the image below

    Edit Licenses

  4. Select additional unauthorized licenses to add and click the Done button.

    Add more Licenses

  5. Finally, click the Save button to update the list of forbidden licenses on the policy.