As well as monitoring your vulnerability status, Snyk can help you with your license compliance if you are on any paid plan (Standard, Pro or Enterprise) by reporting on the licenses used by your dependencies. License data is inferred from the package’s manifest file, pulled from the central repository, which we then compare against SPDX’s license standards.

Creating a license policy

Snyk lets you create a custom license policy for each of your organisations. If the license feature in enabled on your organisation, you can access the policy in your organisation’s settings area.

For each license, you can select which license types you would like to trigger a violation, and the severity you’d like to set it to.

Updating a license policy.

When Snyk detects a license violation it will display it in your project or in the cli snyk test results, in the same way as a security vulnerability.

License issues on a project.

An inventory of your licenses

Within the reports section you can view an inventory of all of your licenses across all your projects. Snyk also lists packages that have dual licenses and multiple licenses.

You can filter and export this data as a CSV.

License inventory screen.