License Compliance¶
Beyond security vulnerabilities, SentriKat checks the open-source licenses of the dependencies it discovers, so a risky or incompatible license doesn't slip into a product unnoticed. License risk is a supply-chain and legal concern that sits naturally alongside vulnerability management — the same dependency inventory feeds both.
What it does¶
For every open-source package found through dependency scanning, SentriKat resolves the package's declared license to a normalised SPDX identifier (e.g. MIT, Apache-2.0, GPL-3.0-only, AGPL-3.0-only) and assigns it a risk tier:
| Tier | Examples | Why it matters |
|---|---|---|
| Permissive | MIT, BSD-⅔-Clause, Apache-2.0, ISC | Low obligation — attribution only. Safe for most uses. |
| Weak copyleft | MPL-2.0, LGPL-2.⅓.0, EPL-2.0 | File/library-level copyleft — usually fine when linked, but obligations apply. |
| Strong copyleft | GPL-2.0, GPL-3.0 | Can require you to release derived source. Review before shipping in a proprietary product. |
| Network copyleft | AGPL-3.0 | Copyleft triggers even for network use (SaaS). The highest-attention tier. |
| Unknown / NOASSERTION | unresolved or missing license | Treated as risk — you can't assess what you can't see. |
The point isn't to tell you a license is "bad" — it's to surface the obligations so your team (or legal counsel) can make an informed call before a copyleft dependency ends up in a shipped product.
Where the data comes from¶
License facts are resolved from the deps.dev dataset (Google's open-source insights), normalised to SPDX. For air-gapped deployments the license feed ships in the offline bundle and the resolution happens as a local join against your inventory — no per-lookup internet call required.
In the dashboard¶
License findings appear alongside the dependency inventory:
- Filter dependencies by risk tier to find every strong-/network-copyleft package in one view.
- See the SPDX identifier and source (declared vs concluded) per package.
- Unknown licenses are flagged so you can chase down the gap.
In exports¶
License identifiers are included in the SBOM exports (CycloneDX, SPDX, STIX) so downstream tools and auditors get the same license picture. Use exclude_licenses=true on the SBOM Export API only if you deliberately want a smaller, license-free document.
Relationship to the Cyber Resilience Act¶
The EU Cyber Resilience Act pushes software vendors toward a documented, auditable view of their components — and license posture is part of a defensible SBOM. Tracking license risk on the same inventory you already scan for vulnerabilities keeps that picture consistent and current.
See also¶
- Dependency Scanning — how the inventory is built
- SBOM Export — where license data is included
- Compliance Reports — framework gap-analysis reports