License compliance
Open app

License compliance

Track and enforce open-source license policies

Every open-source dependency comes with a license, and using the wrong one can create legal risk. DeepSource tracks the licenses of all your dependencies and enforces team-wide policies so non-compliant packages are flagged before they reach production.

How it works

License compliance builds on DeepSource's dependency scanning infrastructure. Once dependency scanning is active for a repository, license data is available automatically. DeepSource resolves your full dependency tree from manifest and lock files, identifies each package's license using the SPDX License List, and checks it against your team's license policy. Packages with non-compliant licenses are flagged in the Dependencies dashboard.

What it covers

Supported ecosystems: every ecosystem supported by dependency scanning includes license detection. See the Languages reference for the full list.

Policy controls:

  • Category-level rules: mark entire classes of licenses as safe or unsafe:
    • Non OSI Approved Licenses
    • Non FSF Free/Libre Licenses
    • SPDX Deprecated Licenses
  • Custom overrides: add specific SPDX identifiers to a safe or unsafe list, overriding category rules for individual licenses

Key features

  • Integrated with dependency scanning: license compliance isn't a separate tool. It's built into the same dependency analysis that handles vulnerability scanning, so there's nothing extra to configure
  • Policy-driven: define rules once at the team level, and they apply across all repositories. No per-repo configuration needed
  • Transitive dependency coverage: licenses are checked for your entire dependency tree, not just direct dependencies. A non-compliant transitive dependency is just as risky as a direct one
  • Actionable in context: non-compliant packages are surfaced in the same Dependencies dashboard where you manage vulnerabilities, so you can assess license and security risk together

Getting started

Set up license policies from Settings. See Enforce license compliance for a walkthrough, or Policies for the full reference on policy options.

On this page

How it works
What it covers
Key features
Getting started