We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
license compliance
Application SecurityLicense Violations

Announcing Snyk’s developer-first license compliance management

Daniel BermanApril 23, 2020

We’re thrilled to announce Snyk’s developer-first license compliance management solution, designed to help you maintain a rapid development pace while also remaining compliant with the open source licenses you’re using in your code!

Open source software is not really free  — in fact, it can exact a heavy price from organizations using it without governance. Open source dependencies pulled into your code unchecked expose you to both security vulnerabilities and license compliance issues. 

We are super excited to announce that we now fully cover both sides of this coin to help organizations minimize this exposure effectively.   

Join us for a live webinar and learn more about license compliance!

Shifting left is not enough

Almost all applications today (96% of them actually, according to a 2019 study by Gartner) rely on open source components. The vast majority of these include legal conditions in the shape of a license. Not complying with these conditions could lead to hefty fines, lawsuits, and reputation damage. Therefore, managing open source licenses has become a top priority for development, security and compliance teams alike.

Still, many organizations are finding it challenging to balance this new priority with the business needs of the organization that require rapid development. Existing solutions promise to help organizations shift software license compliance left but are, in effect, incompatible with modern development — they do not integrate well with Git-based workflows, they are applied too late in the development lifecycle and support manual and rigid processes. These solutions end up not being fully adopted by developers because of the friction they cause and because they slow down development. No one wants to find out their application is violating an open source license after the application has been deployed in production!

Since developers are the ones ultimately deciding what open source to use in order to build software, we believe that achieving license compliance requires developers to be able to truly embrace it in a frictionless manner. This enables compliance visibility early on in the development lifecycle and helps development, security and compliance teams avoid conflicts and expensive changes downstream. 

Snyk’s developer-first license compliance was designed to do just this — empower developers to embrace license compliance so organizations can mitigate risk effectively without compromising over the speed of development. 

“Open source license compliance wasn’t on our radar initially but Snyk changed that and makes it a lot easier for us to effectively manage the different licenses we use across our projects.” 

– Ryan Kimber, Founder and CEO of FormHero

Complying early, and across the software development lifecycle

Snyk is first and foremost a tool designed by developers, for developers. Providing an intuitive and simple-to-use user interface, Snyk makes it easy for developers to integrate license compliance into their existing workflows. Offering a variety of integrations, Snyk enables developers to apply license testing on each and every stage of the SDLC and as early as possible. 

To ensure license compliance can be applied in a frictionless manner, Snyk’s Git-based integrations (GitHub, Bitbucket, GitLab, CircleCI, TeamCity) support license scanning as part of the regular workflow. New pull requests are scanned for license violations and indicate when a license check passes or fails in accordance with defined policies. 

Flagged license issues are displayed with the full context needed by developers to help them gauge the scope of the issue and take action, including detailed legal instructions specifying the next steps to be taken in order to comply with company policy.  

Controlling license compliance effectively 

Managing license compliance with manual processes and without any automation is akin to bringing a sword to a gunfight. Today’s highly dynamic and complex development environments require the ability to create, monitor, and enforce license compliance efficiently and effectively.

Snyk’s new policy manager allows controllers to outline the acceptable use of open source by developers and the appropriate response upon discovery of license issues. Administrators in Snyk can easily create and assign license policies to the different organizations within their group. 

Snyk provides a default license policy, automatically attached to newly created organizations and containing default settings which can, of course, be edited to match your preferences. 

Each policy contains rules — a white/black-list of sorts, detailing which licenses are acceptable and which are forbidden for use, together with a severity level which indicates how severe the license violation is. As mentioned above, Snyk’s license policies also allow controllers to add actionable legal instructions for the developers to use if faced with a specific license issue.

Using Snyk’s CI/CD integrations, policies can be enforced during the build process, giving the controllers the ability to gate builds and stop “bad” licenses from entering the codebase early on in the development cycle. Policy violations can trigger notifications via Slack, JIRA, and email of course.

Gaining end-to-end visibility into license usage

With application architecture becoming increasingly complex, visibility is key to properly mapping out the licenses being used across your projects. Snyk provides both wide coverage with integrations across the SDLC and deep coverage with the ability to detect licenses in both your direct and transitive dependencies.  

Snyk generates a full dependency tree to help you understand exactly what dependency introduced the license issue. In the example below, Snyk has identified two high severity license policy violations caused by the dependencies pulled into our project — a direct dependency on an npm package called wicket@1.3.5 and a transitive dependency on a package called flickity@2.2.1 introduced by web-project-starter@0.0.3. 

The visibility provided by the dependency tree enables the development team to quickly identify and remediate the issue to comply with company license policies.   

A variety of dashboarding and reporting capabilities provide controllers with the ability to view and share detailed lists of licenses being used, including a BoM report that lists all the open source components and licenses along with copyright information. 

Snyk’s license compliance supports all of the most popular programming languages, including (in no particular order of importance!): Java, JavaScript, Scala, Go, Python, Ruby, PHP, Swift, Objective-C, and .NET.

Develop fast, remain compliant

Developers are today’s builders. They are the ones making the decision about what open source code to include in their projects and as such, they control an organization’s exposure to security and compliance risk. 

The only way to control and minimize this exposure, without sacrificing their pace of development, is to give them the ability to seamlessly integrate security and license compliance into their development workflows. Snyk empowers developers to embrace license compliance by providing a developer-first solution, with developer-friendly tooling, flexible governance, and end-to-end visibility, resulting in more compliant code and, ultimately, reduced risk.
Snyk license compliance is available for all Snyk Open Source paid plans: Standard, Pro, and Enterprise. Sounds interesting? You can schedule a demo here. Not a Snyk user yet? You sign up for a free account here.

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom