License compliance scanners safeguard your software supply chain by identifying non-compliant open-source licenses in packages and third-party libraries consumed by your applications. By detecting license violations at code-time, the license scanner closes the gap between open-source dependency consumption and organizational license compliance policies, preventing copyleft obligations, commercial use restrictions, and undisclosed licensing terms from silently propagating into production environments through unvetted upstream packages.
The Licenses page consolidates all scanner-detected license miscompliance issues across monitored repositories into a single view where you can prioritize, investigate, escalate to legal review, and track SLA compliance.
Scope: The Licenses page displays license compliance issues detected in open-source dependencies through Software Composition Analysis (SCA).
What license miscompliance issues deliver
License miscompliance issues close the gap between the open-source dependencies declared in your codebase and the license compliance posture of your organization. Without pre-deployment license scanning, packages with strong copyleft obligations, non-permissive restrictions, or unknown licensing terms propagate silently into production environments, creating legal exposure that is expensive to remediate after deployment, including mandatory source code disclosure, licensing fees, and restrictions on commercial distribution.
Core achievements
Shifting compliance left: Detecting non-compliant open-source licenses at code-time, before packages with restrictive terms are deployed, reduces the cost and risk of post-deployment legal remediation
Reducing legal risk exposure: License category classification isolates strong copyleft, non-permissive, and unknown licenses from permissive licenses, enabling targeted legal review of the highest-risk dependencies
Establishing compliance baselines: Mapping license findings to OSI approval status and SPDX recognition provides auditable evidence of compliance with organizational open-source policies and regulatory mandates
Accelerating legal review: Surfacing non-compliant packages with license category, dependency type, and package manager context enables the legal team to evaluate license compatibility without manual dependency audits
Functional responsibilities
The license miscompliance workflow facilitates a structured delegation model between Governance and Operations:
AppSec managers (Governance): Review license compliance trends across repositories, packages, and license categories to identify systemic supply chain compliance risk. Define unified policies that enforce organizational license compliance standards. Prioritize remediation based on license category, severity, and dependency type
AppSec practitioners (Operations): Triage and escalate license miscompliance issues by coordinating with the legal team to evaluate license compatibility. Track remediation progress through resolution statuses and SLA compliance. Escalate persistent license violations to Cases for cross-team coordination
Prerequisites
Before viewing and acting on license miscompliance issues, verify the following:
Prerequisite | Description |
|---|---|
License | An active Cortex Cloud license with Application Security entitlements |
RBAC Role | The AppSec Admin or SOC Analyst role, or an equivalent custom role with issue management permissions |
VCS Integration | At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active |
SCA Scanner | The SCA scanner enabled for the target repositories |
Periodic or PR Scan | At least one completed periodic scan or PR scan that includes SCA scanning results |