Audito Docs
HomeDashboard

Docs

License policy

How allowed / warned / blocked license lists are evaluated against each dependency.

Why license policy

Vulnerability findings are reactive — they appear after upstream publishes a CVE. License policy is preventative: you pre-declare which SPDX identifiers your workspace is willing to ship, and Audito flags every dependency whose license falls into the warn or block buckets.

The model

A policy is a single row per workspace with three lists and a default verdict:

  • allowed — verdict pass. Permissive licenses you ship without review.
  • warned — verdict warn. Surfaces in the UI but isn't a hard block.
  • blocked — verdict block. Treated as a violation.
  • default_verdictpass or warn. What we return when a license isn't on any of the three lists. pass is permissive ("if it isn't blocked, it's fine"); warn is strict ("everything must be on the list").

If you've never edited the policy, Audito uses a hardcoded default:

  • Allowed: MIT, ISC, Apache-2.0, BSD-2-Clause, BSD-3-Clause, 0BSD, Unlicense, CC0-1.0
  • Warned: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-1.0, EPL-2.0, AGPL-3.0
  • Blocked: SSPL-1.0, BUSL-1.1, Commons-Clause
  • Default verdict: pass

The settings page shows "Using defaults" until you save your first edit.

How a license is classified

Tokens are normalized (uppercased, stripped of brackets and whitespace) on both write and read, so mit and MIT and (MIT) all match the same entry.

For multi-license SPDX expressions like MIT OR GPL-3.0, Audito splits on OR, AND, ,, /, and ;, classifies each token, and picks the most permissive verdict — picking any one license satisfies the expression. This is a deliberate simplification of full SPDX semantics: we don't model precedence or WITH <exception> clauses.

When a dependency has no license metadata at all, the result depends on the default verdict: pass returns "No license metadata; default policy permits unknowns", warn returns "No license metadata".

Configure your policy

Open /dashboard/settings and find the License policy card. Each list is a comma- or newline-separated input — paste SPDX identifiers, hit save, the row is upserted and the dashboard, libraries, and settings pages all revalidate so the new verdicts show up immediately.

The change is recorded as a license_policy.updated audit event with the before/after diff, so you can see in the activity feed who tightened the policy and when.

What violations look like

Each library's dependency list runs every package through the classifier and labels the row with a colored license chip:

  • green — pass (allowed, or permissive default).
  • amber — warn (on the warned list, or unknown under a strict default). The chip's tooltip explains why ("GPL-3.0 is a copyleft license", etc).
  • red — block (on the blocked list).

License verdicts surface alongside vulnerability findings, so a single row can carry both signals without you having to flip pages.