Configure License Compliance for Security Products
Problem to solve
Security Product projects don't have automated ways to check which licenses are allowed or denied.
Intended users
devopssecure team members
Proposal
Configure all relevant Secure projects with License Policies matching our Acceptable Licenses and Unacceptable Licenses.
We might be able to use the managed licenses API to script this instead of doing it manually via the UI
Implementation plan
- Go through Secure projects and find those that contain package manager files. Exclude demo and test projects because they don't have originally written code.
- Create a script using the managed licenses API to apply allowed and denied licenses.
- Apply this script to found projects.
Further details
Permissions and Security
There is no change in permissions, but DRI should have Maintainer
permissions for Secure projects to update policies.
What does success look like, and how can we measure that?
When introducing a new dependency, the license must be checked against the configured policies to prevent denied licenses to be included.
Is this a cross-stage feature?
This impacts all groups of devopssecure