---
title: "Enforce Open Source License Compliance with Enterprise Policy Management"
description: "Use Cloudsmith's Enterprise Policy Management (EPM) to automatically enforce license compliance policies. Block packages with non-compliant licenses, such as strong copyleft, to secure your software supply chain and reduce legal risk."
canonical_url: "https://cloudsmith.com/changelog/enforce-license-compliance-with-enterprise-policy-management"
last_updated: "2025-07-29T08:07:51.825Z"
---
# Enforce Open Source License Compliance with Enterprise Policy Management

You can now use package license data in [Enterprise Policy Management](https://help.cloudsmith.io/docs/enterprise-policy-management) (EPM) to create policies based on a package’s software license. This lets you automatically govern license usage in line with your organization’s policies, giving you direct control over which packages are approved for use in your software supply chain.

## Why it matters

With license data now integrated into EPM, you can meet organizational and regulatory requirements, reduce manual review, and block packages with licenses that don’t align with your compliance policies, such as strong copyleft licenses that can create obligations affecting your proprietary code:

```json
{
  "_key": "fbc8b4b55dba",
  "_type": "code",
  "code": "package cloudsmith\n\ndefault match := false\n\n# Expanded list of SPDX identifiers and common free-text variants\ncopyleft := {\n    \"gpl-3.0\", \"gplv3\", \"gplv3+\", \"gpl-3.0-only\", \"gpl-3.0-or-later\",\n    \"gpl-2.0\", \"gpl-2.0-only\", \"gpl-2.0-or-later\", \"gplv2\", \"gplv2+\",\n    \"lgpl-3.0\", \"lgpl-2.1\", \"lgpl\", \n    \"agpl-3.0\", \"agpl-3.0-only\", \"agpl-3.0-or-later\", \"agpl\",\n    \"apache-1.1\", \"cpol-1.02\", \"ngpl\", \"osl-3.0\", \"qpl-1.0\", \"sleepycat\",\n    \"gnu general public license\"\n}\n\n# Main policy rule\nmatch if {\n    lower_license := lower(input.v0.package.license.oss_license.spdx_identifier)\n    some l in copyleft\n    contains(lower_license, l)\n}",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```

License data is currently supported for [specific package formats](https://help.cloudsmith.io/docs/license-policy).

Learn more about [**Enterprise Policy Management**](https://help.cloudsmith.io/docs/enterprise-policy-management-rego-recipes#recipe-5-compare-software-package-license-to-a-list-of-copyleft-licenses) and [**contact us**](/company/contact-us) if you have any questions or feedback on this feature.
