license compliance

Announcing Snyk’s developer-first license compliance management

| By Daniel Berman

We’re thrilled to announce Snyk’s developer-first license compliance management solution, designed to help you maintain a rapid development pace while also remaining compliant with the open source licenses you’re using in your code!

Open source software is not really free  — in fact, it can exact a heavy price from organizations using it without governance. Open source dependencies pulled into your code unchecked expose you to both security vulnerabilities and license compliance issues. 

We are super excited to announce that we now fully cover both sides of this coin to help organizations minimize this exposure effectively.   

Shifting left is not enough

Almost all applications today (96% of them actually, according to a 2019 study by Gartner) rely on open source components. The vast majority of these include legal conditions in the shape of a license. Not complying with these conditions could lead to hefty fines, lawsuits, and reputation damage. Therefore, managing open source licenses has become a top priority for development, security and compliance teams alike.

Still, many organizations are finding it challenging to balance this new priority with the business needs of the organization that require rapid development. Existing solutions promise to help organizations shift license compliance left but are, in effect, incompatible with modern development — they do not integrate well with Git-based workflows, they are applied too late in the development lifecycle and support manual and rigid processes. These solutions end up not being fully adopted by developers because of the friction they cause and because they slow down development. No one wants to find out their application is violating an open source license after the application has been deployed in production!

Since developers are the ones ultimately deciding what open source to use in order to build software, we believe that achieving license compliance requires developers to be able to truly embrace it in a frictionless manner. This enables compliance visibility early on in the development lifecycle and helps development, security and compliance teams avoid conflicts and expensive changes downstream. 

Snyk’s developer-first license compliance was designed to do just this — empower developers to embrace license compliance so organizations can mitigate risk effectively without compromising over the speed of development. 

“Open source license compliance wasn’t on our radar initially but Snyk changed that and makes it a lot easier for us to effectively manage the different licenses we use across our projects.” 

Ryan Kimber, Founder and CEO of FormHero

Complying early, and across the software development lifecycle

Snyk is first and foremost a tool designed by developers, for developers. Providing an intuitive and simple-to-use user interface, Snyk makes it easy for developers to integrate license compliance into their existing workflows. Offering a variety of integrations, Snyk enables developers to apply license testing on each and every stage of the SDLC and as early as possible. 

To ensure license compliance can be applied in a frictionless manner, Snyk’s Git-based integrations (GitHub, Bitbucket, GitLab, CircleCI, TeamCity) support license scanning as part of the regular workflow. New pull requests are scanned for license violations and indicate when a license check passes or fails in accordance with defined policies. 

Flagged license issues are displayed with the full context needed by developers to help them gauge the scope of the issue and take action, including detailed legal instructions specifying the next steps to be taken in order to comply with company policy.  

Controlling license compliance effectively 

Managing license compliance with manual processes and without any automation is akin to bringing a sword to a gunfight. Today’s highly dynamic and complex development environments require the ability to create, monitor, and enforce license compliance efficiently and effectively.

Snyk’s new policy manager allows controllers to outline the acceptable use of open source by developers and the appropriate response upon discovery of license issues. Administrators in Snyk can easily create and assign license policies to the different organizations within their group. 

Snyk provides a default license policy, automatically attached to newly created organizations and containing default settings which can, of course, be edited to match your preferences. 

Each policy contains rules — a white/black-list of sorts, detailing which licenses are acceptable and which are forbidden for use, together with a severity level which indicates how severe the license violation is. As mentioned above, Snyk’s license policies also allow controllers to add actionable legal instructions for the developers to use if faced with a specific license issue.

Using Snyk’s CI/CD integrations, policies can be enforced during the build process, giving the controllers the ability to gate builds and stop “bad” licenses from entering the codebase early on in the development cycle. Policy violations can trigger notifications via Slack, JIRA, and email of course.

Gaining end-to-end visibility into license usage

With application architecture becoming increasingly complex, visibility is key to properly mapping out the licenses being used across your projects. Snyk provides both wide coverage with integrations across the SDLC and deep coverage with the ability to detect licenses in both your direct and transitive dependencies.  

Snyk generates a full dependency tree to help you understand exactly what dependency introduced the license issue. In the example below, Snyk has identified two high severity license policy violations caused by the dependencies pulled into our project — a direct dependency on an npm package called wicket@1.3.5 and a transitive dependency on a package called flickity@2.2.1 introduced by web-project-starter@0.0.3

The visibility provided by the dependency tree enables the development team to quickly identify and remediate the issue to comply with company license policies.   

A variety of dashboarding and reporting capabilities provide controllers with the ability to view and share detailed lists of licenses being used, including a BoM report that lists all the open source components and licenses along with copyright information. 

Snyk’s license compliance supports all of the most popular programming languages, including (in no particular order of importance!): Java, JavaScript, Scala, Go, Python, Ruby, PHP, Swift, Objective-C, and .NET.

Develop fast, remain compliant

Developers are today’s builders. They are the ones making the decision about what open source code to include in their projects and as such, they control an organization’s exposure to security and compliance risk. 

The only way to control and minimize this exposure, without sacrificing their pace of development, is to give them the ability to seamlessly integrate security and license compliance into their development workflows. Snyk empowers developers to embrace license compliance by providing a developer-first solution, with developer-friendly tooling, flexible governance, and end-to-end visibility, resulting in more compliant code and, ultimately, reduced risk.
Snyk license compliance is available for all Snyk Open Source paid plans: Standard, Pro, and Enterprise. Sounds interesting? You can schedule a demo here. Not a Snyk user yet? You sign up for a free account here.