roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon github

Open Source License Compliance [GA]

Open glider-bot opened this issue 1 year ago • 0 comments

Value Prop

While using open source software (OSS) brings well-demonstrated benefits like leveraging community innovation and empowering developers to focus on differentiated value, it also introduces risks, from security vulnerabilities to targeted attacks. GitHub has powerful features like Dependabot for managing vulnerable versions of your OSS dependencies. Now, OSS License Compliance extends these capabilities, so customers can ensure that the licenses of the OSS packages they depend on are compliant with a policy defined by their organization.

Expected Outcome

With GitHub OSS License Compliance, organizations configure a baseline policy that describes which licenses its upstream dependencies are allowed/disallowed to have - we'll provide starter policies that should suit most users, with the ability to customize them. Once configured, the business risk of incorporating dependencies with incompatible licenses is reduced in three key ways:

  1. Rulesets will enforce the policy on incoming PRs, ensuring that changes entering your codebase don't introduce new dependencies with incompatible licenses.
  2. GitHub Actions that build artifacts have a complete view of the build environment and composition of the resulting artifact, so they can prevent deep transitive dependencies with problematic licenses from being included. Conversely, an artifact whose dependencies consist of only packages with compliant licenses will receive a secure, verifiable attestation to that effect.
  3. Existing code may have latent, undiscovered problems with licenses, so we provide a scanning feature to introspect the Software Bill of Materials (SBOMs) of your repositories and find dependencies with noncompliant licenses.

When these workflows detect problems, they'll generate alerts and metrics similar to the existing Dependabot alerts to provide context, auditability, and actionable outcomes.

With GitHub OSS License Compliance, you'll have a comprehensive way to understand and manage the risk inherent in using open source, so you can focus on the benefits.

glider-bot avatar Nov 20 '24 21:11 glider-bot