Skip to main content

Managing license compliance across your organization with Snyk’s license policies

Written by:
Josefa Riveros
Josefa Riveros
wordpress-sync/Compliance-FEATURE

April 30, 2020

0 mins read

Earlier this month, we rolled out the first phase of our Shared Policies initiative which will allow you to create sets of rules that can be applied across your organizations and projects. You can now create your own policies and use these rules to help your development teams easily find and fix what is most critical to your projects while minimizing the distractions created by less pressing issues.

We've started with License policies which will allow our customers to better scale their open source licensecompliance initiatives. We've taken our current organization-level license policies and moved them to our new Policy Manager tab. Group-level administrators can now set a policy and apply it to multiple orgs and, later on, to projects using project attributes.

This feature is an important addition to Snyk’s developer-first open source license compliance solution as it empowers developers to seamlessly embrace license compliance early in the software development lifecycle.

Even more exciting is that this is just the start for policies solution! Keep your eyes on this area throughout the upcoming months as we look to other types of policies, such as security policies, dependency policies, and container policies.

For more on how you can use license policies to scale your license compliance with Snyk, read on!

Getting started

If you are a group administrator on a Pro or Enterprise level account, setting up a policy is easy. Simply open the Snyk platform and click on the Policies tab in the navigation bar to see all the policies that exist within your group.

Group administrators will have the ability to make any changes such as creating a new policy, editing, and deleting policies.

To create a new policy, click on the green + Add new policy button and a modal will appear where you can set a policy name and description, select which organizations to apply to the policy, and set up the rules for your policy.

wordpress-sync/blog-snyk-license-compliance-getting-started

To edit a policy, click on the policy name of an existing policy in the policy manager tab to open the modal and then make your changes.

wordpress-sync/blog-snyk-license-compliance-edit-policy

To delete a policy, click on the 3 dots on the right-hand side of the policy that you'd like to delete in the policy manager tab. This will open a drop-down with the option to delete a policy. Using this icon, you can also duplicate the rules of an existing policy.

What does this mean for you?

Easier and faster license management

Our new license policies system provides you with a more streamlined process for managing license compliance. You can now create one policy and assign it to multiple organizations so when changes in severity need to be made or new legal instructions need to be added, it's much easier and quicker to do so. The changes made will be applied to all the projects within your organizations assigned to that policy once projects have been re-tested.

Some of our customers have gone from managing 40+ license policies to only managing two or three!

Default policy

You'll notice there is a default policy already created for you that contains the Snyk default and it cannot be removed; however, this default policy can be modified. You can edit the name, description, and license severities to best suit your needs.

The default policy acts as a baseline. We recommend setting your minimally allowed license severities as your default policy. When new organizations are added to your group, they will be assigned your default policy. If you do not want an existing organization to inherit the default policy, simply assign it to a different, existing policy.

What’s next?

We're looking into allowing you to get even more granular with license policies by applying them to the project level using project tags. We know that projects within one organization may need different license policies. Project tags would allow you to create policies based on the tags assigned to your projects.

Additionally, there are tons of other types of policies that can help you better prioritize the vulnerabilities within your portfolio and we’re investigating some pretty cool ideas to allow you to accomplish this. Watch this space and let us know what you think, or if you have policy ideas that you'd like to share.

Stay secure!

Posted in: