Licenses are available for all paid plans.
Every time you test your projects either with the CLI or from our app, your projects are scanned for not only vulnerabilities but also for license compliance. This includes all of your direct and indirect dependencies. Snyk scans your manifest files, and then checks for license issues against SPDX license standards by reporting on the licenses used by your dependencies.
The full list of supported licenses and their default severities that we’ve configured for you out-of-the-box can be viewed and their policies can be customized directly from our app by an admin of each of your organizations. If your policy is the same across all organizations, you can configure the policy and thereafter duplicate that organization. Alternatively, contact support and we’re happy to help.
By default we determine the severity of licenses in the following way:
High severity - licenses that definitely present issues for commercial software.
Medium severity - licenses that have clauses that may be of concern and should be reviewed.
To facilitate onboarding of your developers, we recommend that your teams check these defaults, update severities and add instructions per license type based on the policies outlined specifically by your Legal teams. Once updated, when Snyk detects a license violation it displays the violation for all users in the organization from our UI project area, or from the CLI Snyk test results, in the same way as a security vulnerability, and including the severity and instructions you configured.
An inventory of your licenses
Within the Reports area you can view an inventory of all of your licenses across all your projects. Snyk also lists packages that have dual licenses and multiple licenses. See here for more information.