Scan your Code for License Violations

Overview

License checking in Jit ensures that your project adheres to the defined licensing requirements by scanning your codebase for unpermitted licenses. This feature helps maintain compliance with legal obligations associated with third-party components and mitigates the risk of licensing issues.

By default, Jit employs a deny-list approach, prohibiting licenses such as GPL and EU Public License. However, users have the flexibility to customize this list according to their project's specific needs by adjusting the jit-config.yml file.

Jit License Compliance

Jit's license compliance functionality operates based on the following principles:

Deny-list: Jit maintains a default deny-list of licenses that are not permitted within your project. This includes licenses such as GPL.

dual_license can have value of either restrictive or permissive.

  • Restrictive Dual License: By default, Jit operates in restrictive dual license mode. In this mode, if one of the licenses associated with a dual-licensed component is found in the deny-list, the user will be alerted. For example, if a component has licenses GPL or MIT, and GPL is in the deny-list, a finding will be created.
  • Permissive Dual License: Alternatively, users can opt for permissive dual license mode. In this mode, if one of the licenses associated with a dual-licensed component is not found in the deny-list, no alert will be generated. For example, if a component has licenses GPL or MIT, and neither GPL nor MIT are in the deny-list, no finding will be created.

Customization:

Users can override the default deny-list by modifying the jit-config.yml file located at User's organization/.jit/.jit/jit-config.yml.

license-compliance:
  deny_list:
    - EUPL*
    - GPL*
  dual_license: restrictive # or permissive

Wildcard Usage: Wildcard (*) can be employed to match licenses that contain a specific string. For instance, Apache* matches licenses like Apache-2.0, L-Apache, etc.

Case Insensitivity: License matching is case-insensitive. For example, MIT is considered the same as mit.

License Scanner triggers

Activate the License violation plan item

The License Checker is designed to ensure thorough enforcement of licensing requirements within your project. It operates in the following manner:

Pull Request Enforcement: Upon the creation or update of a Pull Request (PR), the License Checker will automatically initiate a scan to detect any license violations. If violations are identified, the PR will be halted until the issues are resolved, ensuring that only compliant code is merged into the repository.

Scheduled Scans: In addition to PR enforcement, the License Checker runs on a predefined schedule to conduct regular scans of the codebase. If any violations are detected during these scheduled scans, the License Checker will automatically open findings in the backlog, alerting the team to address the violations promptly.

By employing both real-time PR enforcement and scheduled scans, the License Checker provides comprehensive coverage to maintain compliance with licensing requirements throughout the development lifecycle.

Premium Users

License Compliance functionality is exclusively available to Premium users. To access this feature and unlock advanced capabilities, please contact our support team to learn more about our Premium Users package.

Supported package types

  • npm
  • Pip