Enforcing license compliance
Whether your organization already has a detailed license policy or needs to set one up, we can help you implement and enforce it with Tidelift. By choosing to use the license compliance standard, we will ensure that all package releases in your catalog only use a license from your approved list of licenses. With your Tidelift Subscription, you can also get accurate and verified license data from Tidelift’s license-annotated catalogs.
How do I set up license compliance?
You can begin enforcing license compliance from the Catalog > Standards page. If you have not already set up an approved license list, you will be presented with pre-built templates. If your organization does not already have an approved license list, you can select the template most appropriate for your deployment scenario. Otherwise, you can proceed without a template.
You will then be able to make any changes to the following three lists:
- “Approved” – Licenses that are always approved for use in the catalog
- “Uncategorized” – Licenses that will need additional review in the future
- “Denied” – Licenses that are never approved for use in the catalog
Note that each license is listed using its SPDX license expression. If you have a policy and need support mapping onto the appropriate SPDX identifiers, reach out to your account manager.
What happens if a package release in my catalog doesn’t comply with the approved license list?
Although a package's license rarely changes, an already-approved release may no longer comply with the license standard if you make changes to your approved license list. In these cases, a task will be generated for the catalog manager to notify them about already-approved releases that violate this standard. For each license, they will be able to do one or more of the following:
- Approve the license being used by approved releases
- Deny the releases
- Create a documented exception for the package, so current and future releases can use an unapproved license without violating the standard
What happens when a newly requested package release doesn’t use an approved license?
If a newly requested release uses a license that isn’t on the approved list and the license compliance standard is enabled, the catalog manager reviewing the request will see that there is a standard violation. The catalog manager can either approve the license and the release, deny the release, or create an exception for this package to be approved without globally approving the license.