You can now use package license data in Enterprise Policy Management (EPM) to create policies based on a package’s software license. This lets you automatically govern license usage in line with your organization’s policies, giving you direct control over which packages are approved for use in your software supply chain.

Why it matters

With license data now integrated into EPM, you can meet organizational and regulatory requirements, reduce manual review, and block packages with licenses that don’t align with your compliance policies, such as strong copyleft licenses that can create obligations affecting your proprietary code:

package cloudsmith

default match := false

# Expanded list of SPDX identifiers and common free-text variants
copyleft := {
    "gpl-3.0", "gplv3", "gplv3+", "gpl-3.0-only", "gpl-3.0-or-later",
    "gpl-2.0", "gpl-2.0-only", "gpl-2.0-or-later", "gplv2", "gplv2+",
    "lgpl-3.0", "lgpl-2.1", "lgpl", 
    "agpl-3.0", "agpl-3.0-only", "agpl-3.0-or-later", "agpl",
    "apache-1.1", "cpol-1.02", "ngpl", "osl-3.0", "qpl-1.0", "sleepycat",
    "gnu general public license"
}

# Main policy rule
match if {
    lower_license := lower(input.v0.package.license.oss_license.spdx_identifier)
    some l in copyleft
    contains(lower_license, l)
}

License data is currently supported for specific package formats.

Learn more about Enterprise Policy Management and contact us if you have any questions or feedback on this feature.