AI & TechBigTech CompaniesBusinessNewswireTechnology

GitHub’s new tool prevents costly open-source license violations

▼ Summary

– GitHub’s License Compliance feature, in public preview for GitHub Advanced Security customers, automatically checks new dependencies in pull requests against organizational policies.
– The feature can be used in Evaluate mode to generate alerts without blocking merges, helping developers adapt to the workflow.
– GitHub’s OSPO switched from internal tools to this feature, using a list of acceptable licenses like MIT and Apache 2.0 as its initial policy.
– Non-compliant licenses trigger alerts in pull requests; developers can remove the dependency or submit an exception request for review.
– GitHub’s distributed review team processes most license requests within hours, with options to temporarily switch a repository to Evaluate mode for critical fixes.

GitHub’s Open Source Program Office has rolled out a new License Compliance feature, now available in public preview, to help organizations manage the complex web of open-source dependencies without running into costly legal trouble. The tool, built for GitHub Advanced Security customers, scans pull requests for new dependencies, flags any that don’t match internal policies, and streamlines the approval process for exceptions.

The feature is designed for GitHub Enterprise Cloud users with an active GHAS Code Security license. It gives teams the ability to review new dependencies directly in pull requests, verify compliance with organizational rules, and approve new licenses or create package-specific exceptions when needed. For large enterprises juggling thousands of dependencies, this automated oversight can prevent significant engineering rework and legal exposure.

As Jeff Luszcz, Staff Product Manager, and Eric Sorenson, Senior Product Manager at GitHub, put it: “Nearly all software carries some kind of license agreement. The license gives you permission to use a project, provided you comply with its obligations.” Those obligations range from simply crediting the original author to distributing all source code when shipping your program. In some cases, licenses may restrict specific activities or categories of use. GitHub warns that failing to comply with a license’s terms can lead to legal disputes, reputational damage, and costly dependency replacements down the line.

Building a license policy from scratch

Two months ago, GitHub’s own OSPO made the switch from internally developed compliance tools to the new License Compliance feature. As an early adopter, the team helped refine the tool for large organizations with complex requirements. They started with a list of acceptable licenses, focusing on widely used permissive licenses like MIT, Apache 2.0, and BSD-3-Clause as a baseline.

The rollout began in Evaluate mode, using an organization-wide ruleset. This generated annotations in pull requests without blocking merges, giving developers time to adapt to the new workflow. After about a month, most alerts centered on packages with unusual, missing, or explicitly disallowed licenses, proving the system’s value in catching edge cases.

How the automated scanning works

GitHub License Compliance uses rules to scan new dependencies automatically as they appear in pull requests. It checks both direct and indirect dependencies against the organization’s compliance policies. When a license doesn’t meet policy, an alert is added to the pull request, identifying the affected package.

Developers have two options: remove or replace the problematic dependency, or submit an exception request if they believe the package should be allowed. The organization’s policy review team then decides whether to approve the license, the specific package, or update the broader policy. Approvals can be applied organization-wide or limited to a single repository.

For commonly used low-risk licenses, approval is typically granted across the organization. Commercial licenses are usually approved only for repositories owned by teams that purchased the software. For internal software that often lacks license information, GitHub creates package-specific exceptions. Wildcard rules also let organizations approve groups of related packages at once, reducing the need for individual reviews.

Streamlining the review workflow

GitHub’s own license review team operates across multiple time zones to speed up approvals. The company is defining a formal service-level agreement, but most requests are reviewed within a few hours. Reviewers receive email notifications for new submissions and can track pending reviews through a dashboard.

For time-sensitive pull requests, GitHub has established procedures to contact the OSPO and use an emergency override. Because license enforcement is controlled through repository properties, the team can temporarily switch a repository from Active to Evaluate mode. This allows a critical fix to proceed while the license issue is reviewed, balancing compliance with development velocity.

(Source: Help Net Security)

Topics

license compliance 98% open source management 92% github advanced security 88% dependency scanning 85% policy enforcement 82% exception handling 79% review workflow 76% enterprise software 73% legal risk 70% permissive licenses 67%