GitHub’s new tool helps prevent costly open-source license violations

GitHub’s Open Source Program Office (OSPO) uses the new GitHub License Compliance feature, now in public preview, to manage thousands of open-source dependencies and identify dependencies whose licenses require review.

The feature is available to GitHub Advanced Security customers and allows them to review new dependencies in pull requests, verify that their licenses comply with organizational policies, and approve new licenses or package-specific exceptions when needed.

GitHub Enterprise Cloud customers can use the License Compliance feature across repositories with an active GitHub Advanced Security (GHAS) Code Security license.

“Nearly all software carries some kind of license agreement. The license gives you permission to use a project, provided you comply with its obligations. Those obligations may be as simple as giving credit to the original author in your documentation, or they may require you to distribute all your source code when shipping your program. In some cases, licenses may also restrict certain activities or categories of use,” Jeff Luszcz, Staff Product Manager, and Eric Sorenson, Senior Product Manager, at GitHub, explained.

GitHub says organizations that cannot comply with a license’s obligations should avoid using the dependency because replacing it later can require significant engineering effort. The company adds that, for enterprise software, noncompliance can lead to legal disputes and reputational damage.

Building a license policy

Two months ago, the OSPO switched from internally developed compliance tools to the new GitHub License Compliance feature. As an early adopter, the team provided feedback to help improve the tool for large organizations with complex compliance requirements.

The company had a list of acceptable licenses to use as its initial policy. Many dependencies use permissive licenses such as MIT, Apache 2.0, and BSD-3-Clause, providing a good starting point for creating a policy.

GitHub rolled out the feature in Evaluate mode using an organization-wide ruleset. This generated annotations in PRs without blocking merges, helping developers become familiar with the new workflow. After about a month, most alerts involved packages with unusual, missing, or explicitly disallowed licenses.

How the feature works

GitHub License Compliance uses rules to automatically scan new dependencies added through pull requests. It checks the licenses of both direct and indirect dependencies against an organization’s compliance policies. If it finds a license that does not meet those policies, it adds an alert to the pull request identifying the affected package.

GitHub License Compliance

Non-compliant license expression found on sidekiq #1 (Source: GitHub)

Developers can remove or replace the dependency if the license is not acceptable. They can submit an exception request if they believe the package should be allowed. The request is reviewed by the organization’s policy review team, which decides whether to approve the package or update the license policy.

When reviewing an exception request, the policy review team decides whether to approve the license or only the specific package, and whether the approval should apply across the organization or only to a single repository.

Commonly used licenses with low compliance risk can be approved across the organization. Commercial licenses are typically approved only for repositories owned by teams that have purchased the software. GitHub creates package-specific exceptions for internal software that often lacks license information.

Wildcard rules let organizations approve groups of related packages instead of reviewing each package individually.

Review workflow

GitHub’s license review team is distributed across multiple time zones to speed up the approval process. The company is defining a formal service-level agreement, and most license requests are reviewed within a few hours. Reviewers receive email notifications when new requests are submitted and can track pending reviews through a dashboard.

GitHub established procedures for contacting the OSPO and using an emergency override for time-sensitive PRs. Because license enforcement is controlled through repository properties, the team can temporarily switch a repository from Active to Evaluate mode, allowing a critical fix to proceed while the license issue is reviewed.

Don't miss