License Policies
Sandworm uses license policies to determine what sort of issues to raise when scanning your app's dependency licenses. A license policy object links specific license strings or license categories to an issue severity level. Any usage of such licenses will, upon audit, generate a license issue of the specified severity.
The default license policy:
- Generates
high
severity license issues for licenses labeled asNetwork Protective
orStrongly Protective
; - Generates
moderate
severity license issues for licenses labeled asWeakly Protective
.
Un-categorized licenses always result in a
high
severity error.While we do our best to keep license info accurate and up-to-date, you should still carefully review all of the terms and conditions of the actual license before using the licensed material. Sandworm isn't a law firm and doesn't provide legal services.
You can configure Sandworm to use a custom license policy. The policy object:
- has keys that match one of the supported issues severities:
critical
,high
,moderate
, orlow
; - has values that are arrays;
- each array value is a string that represents:
- a specific license - for example
MIT
; - a category of licenses, prefixed by "cat:" - for example
cat:Network Protective
.
As an example, here is the default license policy that Sandworm applies:
{
"high": ["cat:Network Protective", "cat:Strongly Protective"],
"moderate": ["cat:Weakly Protective"],
}
To provide a custom license policy, use the
--license-policy
command-line option, or the audit.licensePolicy
field in the .sandworm.config.json
configuration file. For example, to generate a critical issue for any dependency using the MIT
license:sandworm-audit --license-policy '{"critical": ["MIT"]}'
Last modified 15d ago