Skip to content

Configure Forbidden Licenses

BoostSecurity enables alerts to be raised when third-party packages in your projects use licenses that your organization forbids. The license check utilizes your projects' SBOM inventories to inspect the packages' licenses and raise license alerts if they violate a defined policy.


To enable the license alerts, you need to:

  • Generate SBOM inventories. Refer to the SBOM section for instructions.
  • Enable the BoostSecurity OSS License scanner.
  • Create policies that define the forbidden licenses and actions to take.

How to provision the BoostSecurity OSS License scanner

The BoostSecurity OSS License scanner inspects SBOMs (Software Bill of Materials) to identify software dependencies' licenses. Leveraging this scanner with the policy engine will prevent forbidden licenses from being released with production software. This scanner can only run on the default branch.

To enable the BoostSecurity OSS License scanner:

  1. Go to the Scanner Coverage page.
  2. Find the repositories for which coverage should be enabled.
  3. Select the checkboxes next to those repositories.
  4. Click the Provisioning button on the top right of the screen.
  5. Click on the checkbox for the row labeled BoostSecurity OSS License.
  6. Click the Complete button on the bottom right of the modal.

How to Create License Check Policies

Policies can define the actions to take when encountering forbidden licenses. For example, the policy can specify sending a Slack message as an action. You also configure licenses that are considered forbidden for your enterprise as part of the policy.

To create a policy for forbidden licenses, follow these instructions:

  1. Navigate to the Policy page.
  2. Click on the New Policy button located at the top-right corner of the page.

    New Policy

  3. Add a Policy name, e.g., License, and a description.

  4. Select an action for the rule if you're not using the default action (Do not notify developers), which includes:
    • Fail the check
    • Add a comment to the PR
    • Send a notification
    • Create a ticket
    • Drop
  5. Add rules to the policy by clicking the Add Rule button.

    Add Rules

    Define Rule

  6. Configure the Scanner:

    • To select the specific license scanner, search for the "use-of-forbidden-license" tag by clicking on the Rule Tags or using the Scanner, Group, and Rule Name filters.
    • Select the BoostSecurity OSS License scanner.

    Search License Scanner

    • Select the licenses from the list of available unauthorized licenses and click "Done" to save.

    Select Licenses

  7. Click on Save to save the policy and the configured scanner.


How to update the OSS License Scanner Forbidden Licenses List

To update the list of forbidden licenses in your organization:

  1. Navigate to the Policy page and click on the saved policy.
  2. Click on the "Scanners" tab.
  3. Click the edit icon as shown in the image below

    Edit Licenses

  4. Select additional unauthorized licenses to add and click the Done button.

    Add more Licenses

  5. Finally, click the Save button to update the list of forbidden licenses on the policy.