License Scanning

Experimental

Table of contents

OSV-Scanner supports license checking as an experimental feature. The data comes from the deps.dev API.

This feature is experimental and might change or be removed with only a minor version update.

License summary

If you want a summary of your dependencies licenses, use the --experimental-licenses-summary flag:

osv-scanner --experimental-licenses-summary path/to/repository

License violations

To set an allowed license list and see the details of packages that do not conform, use the --experimental-licenses flag:

osv-scanner --experimental-licenses="comma-separated list of allowed licenses" path/to/directory

Include your allowed licenses as a comma-separated list. OSV-Scanner recognizes licenses in SPDX format. Please indicate your allowed licenses using SPDX license identifiers.

License violations example

If you wanted to allow the following licenses:

Your command would be in this form:

osv-scanner --experimental-licenses="BSD-3-Clause,Apache-2.0,MIT" path/to/directory

Override License

Sometimes, the license either cannot be retrieved, or does not apply to your specific use. In those cases, you can override the license of a specific package by setting it in the config file.

See the configuration docs for how to do this.