Enforce license compliance

License compliance lets you define which open-source licenses are acceptable across your team's repositories. DeepSource checks every dependency against your policy and flags packages that don't comply.

Configure license policies

1. Go to your team Settings > Policies > License Compliance.

2. Set category-level rules to mark entire classes of licenses as safe or unsafe:

   • Non OSI Approved Licenses — licenses not approved by the Open Source Initiative
   • Non FSF Free/Libre Licenses — licenses not recognized by the Free Software Foundation
   • SPDX Deprecated Licenses — licenses deprecated in the SPDX standard

3. Add custom overrides using SPDX identifiers:

   • Custom Safe Licenses — specific SPDX identifiers that should always be deemed safe
   • Custom Unsafe Licenses — specific SPDX identifiers that should always be deemed unsafe

DeepSource uses the SPDX License List as the canonical source for license identifiers.

View license info per package

Once policies are configured, you can see the license type for each package in the Dependencies > Packages tab of any repository. Packages with non-compliant licenses are flagged so you can take action.

For the full reference on all policy options, see Policies.