License auditor
Evaluates package licenses against allow/deny SPDX policy.
| Property | Value |
|---|---|
| Auditor name | license |
| Finding kind | license |
Runs with --audit | Yes |
| Needs enrichment data | No |
| Policy flags | --allow-license, --deny-license, --license-exempt-package |
| Finding reasons | denied license, license not in allowlist, missing license |
User notes
Works on licenses already on the graph; run --enrich first when native detection did not resolve a license. --license-exempt-package waives the policy for specific packages. License values are matched as SPDX expressions.
What the license auditor does
It reads each package's license, parses it as an SPDX expression, and checks it against your allow/deny policy. A package fails policy when its license is explicitly denied, or — when an allowlist is set — when its license is not on the allowlist. Packages with no resolved license can be flagged so license gaps don't pass silently.
License data comes from native detection or from a license matcher (deps.dev, ClearlyDefined). Run --enrich first if your graph is missing licenses.
Options
| Flag | YAML key | Effect |
|---|---|---|
--allow-license <spdx> | policy.allow_licenses | Permit only these SPDX licenses; anything else fails. Repeatable. |
--deny-license <spdx> | policy.deny_licenses | Fail on these SPDX licenses regardless of the allowlist. Repeatable. |
--license-exempt-package <name> | policy.license_exempt_packages | Waive license policy for a specific package. Repeatable. |
--allow-license and --deny-license accept SPDX identifiers (e.g. MIT, Apache-2.0, GPL-3.0-only).
Examples
# Permit only permissive licenses
bomly scan --enrich --audit \
--allow-license MIT --allow-license Apache-2.0 --allow-license BSD-3-Clause \
--fail-on any
# Block copyleft outright, allow everything else
bomly scan --enrich --audit --deny-license GPL-3.0-only --fail-on any
# Allowlist, but exempt one internal package shipped under a custom license
bomly scan --enrich --audit \
--allow-license MIT \
--license-exempt-package my-internal-lib \
--fail-on any
Limitations
- SPDX expressions only. A non-SPDX license string (a raw URL, a custom name) won't match an allow/deny SPDX identifier and may surface as a missing/unknown license.
- One license source wins. When detection and a matcher disagree, the value on the package is what gets evaluated; run with
--enrichfor the most complete coverage. - Exemptions are by package name, so a name that appears in multiple ecosystems is exempted in all of them.