Does anyone know of a tool (or GitHub Action) that would monitor dependencies to ensure they adhere to a set of approved licenses?

[anajsana]

Question raised via TODO slack channel by jeffpaul:

Does anyone know of a tool (or GitHub Action) that would monitor dependencies to ensure they adhere to a set of approved licenses (in my case, working with WordPress, that they’re GPL-compatible)? I’m hoping to get something running so all PRs are scanned to ensure no incompatible dependencies are being introduced (while also scanning the existing codebase to ensure things are copacetic).

[anajsana]

Chris Aniszczyk replied:

I've done this in the past with FOSSA CLI https://github.com/fossas/fossa-action but you can probably do this with Snyk or WhiteSource (and comparable modern SCA tool these days)

[anajsana]

Kevin P. Fleming replied:

Tidelift, also.

[annania]

Adding to this, many scan tools have CLI integration which makes it compatible with the CI/CD tool of your choosing. They allow you to configure a license policy

Fossa
FossID
Mend (previously WhiteSource)
BlackDuck

[juliancoccia]

On the SCANOSS side, you can install the CLI with: pip3 install scanoss
and then scanoss-py scan directory/

No accounts or API keys needed. Absolutely anonymous and free for everyone.

You can also try: npm install -g scanoss (scanoss-js is the CLI)

Alternatively, here is the webhook for even easier integration:
https://github.com/scanoss/webhook

[anajsana]

Jordan Harband replied:

In the npm ecosystem, npmjs.com/licensee is The Way; it will soon be npm audit licenses.

but yes, there’s lots of services like tidelify/snyk/whitesource/etc to do it cross-ecosystem

[jeffpaul]

Thanks for adding this here @anajsana, very much hoping there's a minimal functionality but free for open source projects as this is a significant concern and not something that's easily achievable manually.

[ashleywolf]

You can check out https://github.com/marketplace/actions/ghascompliance. Should we consider adding a sub-section to the awesome OSPO list with these? cc: @anajsana

[jeffpaul]

I would probably recommend we add details from my response in #71 (comment) to the https://github.com/todogroup/awesome-ospo#licensing section.

[jeffpaul]

Note that I ended up solving this with https://github.com/actions/dependency-review-action. You can see it in action here https://github.com/10up/insert-special-characters/actions/workflows/dependency-review.yml. Workflow file is here https://github.com/10up/insert-special-characters/blob/develop/.github/workflows/dependency-review.yml. Org-wide policy that I'm using is here https://github.com/10up/.github/blob/trunk/.github/dependency-review-config.yml.

[jailbirt]

hello to scan dependencies we create two workflows in our bpm that use scanoss to scan for dependencies and undeclared licenses in the code.
Both scan and ask for approvals and are easily adaptable to any process.

One receives webhooks from github and scans the branch.
Another that receives the resulting json from the scanoss binary.

We also have in development two custom interfaces both for the developer to ask for authorization and for the manager to approve them for large companies. (The latter has not yet been released O.S.).

[nicorikken]

The OSS Review Toolkit project now has a GitHub Action to scan a repository and its dependencies. You can add policies to check against, like a set of approved licenses. This is quite an expert-level tool that has a bit of a learning curve. Thankfully there are some default policies provided and there is a great community willing to help.