Every time you run
snyk test or
snyk scan from our CLI, and every time Snyk tests your projects from our app, your projects are scanned for not only vulnerabilities, but also for license compliance (in all of your direct and indirect dependencies) that you use in your projects (for all paid plans). Snyk scans your manifest files, and then checks for license issues against SPDX license standards. by reporting on the licenses used by your dependencies.
The full list of supported licenses and their default severities that we’ve configured for you out-of-the-box can be viewed, and their policies can be customized, directly from our app by an admin of each of your organizations. If your policy is the same across all organizations, you can configure the policy and thereafter duplicate that organization. Alternatively, contact support and we’re happy to help.
To facilitate onboarding of your developers, we recommend that your teams check these defaults, update severities and add instructions per license type based on the policies outlined specifically by your Legal teams. Once updated, when Snyk detects a license violation it displays the violation for all users in the organization from our UI project area, or from the CLI snyk test results, in the same way as a security vulnerability, and including the severity and instructions you configured.
An inventory of your licenses
Within the Reports area you can view an inventory of all of your licenses across all your projects. Snyk also lists packages that have dual licenses and multiple licenses. See here for more information.