Support license categories in License Compliance approval policies

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

GitLab currently requires administrators to maintain allowlists or denylists of individual SPDX license identifiers for License Scanning approval policies. This proposal introduces license categories to simplify license compliance management.

Problem

Large organizations define compliance policies at the category level (e.g., "deny all strong copyleft licenses", "allow only permissive licenses"), not at the individual license level.

Currently, implementing such policies requires manually enumerating all relevant licenses:

• GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, AGPL-3.0-only, etc.

This is tedious, error-prone, must be continuously updated as SPDX evolves, and scales poorly across many projects.

Solution

Introduce license categories in GitLab's License Scanning and allow approval policies to reference them.

Built-in categories:

• Permissive (MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Zlib…)
• Weak copyleft (LGPL-2.1, LGPL-3.0, MPL-2.0)
• Strong copyleft (GPL-2.0, GPL-3.0)
• Network copyleft (AGPL-3.0)
• Non-commercial / restricted use (various CC-NC licenses)
• Proprietary
• Unknown

Example policy syntax:

approval_policy:
- name: Block Strong Copyleft Licenses
  enabled: true
  rules:
  - type: license_finding
    license_categories:  # NEW: category-based filtering
    - strong_copyleft
    - network_copyleft
  actions:
  - type: require_approval
    approvals_required: 2

Alternative approach (allowlist):

approval_policy:
- name: Allow Only Permissive Licenses
  enabled: true
  rules:
  - type: license_finding
    match_on_inclusion_license: false  # Deny all except...
    license_categories:
    - permissive
  actions:
  - type: require_approval
    approvals_required: 1

Technical Considerations

• Custom categories: Allow organizations to define their own categories
• Category metadata: Expose category information in License Compliance UI
• Backward compatibility: Continue supporting individual license names alongside categories
• SPDX alignment: Consider aligning with SPDX license classification standards
• API support: Extend License Compliance API to support category queries
• Database schema: Store category-to-license mappings
• UI updates: Add category selection in policy editor

Benefits

• Reduces operational overhead for security and compliance teams
• Avoids missing license variants due to naming differences
• Aligns GitLab with real-world compliance workflows
• Enables more intuitive and less fragile approval policies
• Scales better across large organizations with many projects

Intended Users

• Cameron (Compliance Manager)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

What does success look like, and how can we measure that?

Success metrics:

• Reduction in time spent maintaining license approval policies
• Decrease in missed license variants in policies
• Increased adoption of license compliance policies
• Positive customer feedback from compliance teams

Measurements:

• Number of policies using category-based filtering vs. individual licenses
• Time to create/update license policies (before/after)
• Customer satisfaction scores for license compliance features

Related Links

• License Approval Policies Documentation
• License Scanning of CycloneDX Files
• SPDX License List
• Blue Oak Council License List (example of category-based classification)

---