Licensight Policies

With policies in Licensight, you not only can define which open-source licenses are good to use, which require further validation and which are prohibited, but also can configure the vulnerability severity thresholds, enable teams to enforce security standards alongside license compliance.

Different policies can be tailored for different purposes, e.g. one policy for products which is used for SaaS projects, one which will be used for products which are distributed to the customer and one for internal tools.

Because licenses and vulnerabilities carry different obligations and risks, policies help ensure that each application is assessed appropriately based on its intended use.

Creating a new policy

In the policy section of Licensight you can use the "Add" button to create a new policy. Enter a name for the policy and hit enter to create the policy.

Using the policy wizard

If you want to start with a predefined policy, you can use the Policy Wizard. Click the wizard and answer all questions. Afterwards the licenses will be assigned automatically to the categories depending on the answers given in the wizard.

Configuring Policies manually

Open source policy

If you prefer manual control, you can assign each license to one of the following categories:

• Permitted: All licenses in this category will be accepted in applications with this policy. No further approvals are required.
• Prohibited: All licenses in this category will be listed as policy violation in applications with this policy.
• Needs approval: All licenses in this category will need an explicit approval in applications with this policy.

Vulnerability policy

You can define which severity levels of vulnerabilities are acceptable. If a component contains vulnerabilities that have the selected severities, it will be flagged as a policy violation and require assessment. Severity levels include:

• Critical
• High
• Moderate
• Low
• Unknown