1. Overview

Prisma Cloud can detect licenses for package dependencies in code repositories. It can scan code repos hosted by service providers (currently GitHub only). It can also scan build folders constructed by CI build jobs.

A license policy defines the criticality of a license. For example, you might specify consider any package with a GPL license as a critical issue. Depending on your license policy, Prisma Cloud can raise alerts and block builds.

2. Create a license compliance policy

Compliance policies consist of one or more rules.

Prisma Cloud ships with a default rule named Default - alert all components. This rule ships with alerts disabled, so the policy is effectively disabled. As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. Set a threshold, and declare licenses you consider critical. Rule order is important, so be sure your custom rule sits above the default rule.
  1. Open Console.

  2. Go to Defend > Compliance > Code repositories.

  3. Choose the target of your policy.

    If your policy targets GitHub, go to the Repositories tab.

    If your policy targets your CI pipeline, go to the CI tab.

  4. Click Add rule.

  5. Specify a rule name.

  6. In Scope, select one or more collections to apply your policy to specific repos.

    Use the default All collection to apply it to all repos.

  7. Set the rule thresholds.

  8. Specify the severity of each license of interest.

    Each field offers SPDX license identifiers as suggestions. Pattern-matching expressions are supported (e.g., GPL-*).

3. Scan with twistcli

To scan a folder with twistcli, use the following command:

twistcli coderepo scan [FOLDER_PATH] --details

Contents of the repo are assessed according to the policy in Defend > Compliance > Code repositories > CI. Scan results are published in Monitor > Compliance > Code repositories > CI

For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy.

4. Review scan results.

Go to Monitor > Compliance > Code repositories. Each row in the results table has a meter which shows the number of compliance issues at each severity level. Click on a row to drill into the details of the scan report.