GitHub Enhances Open-Source License Compliance with New Feature
GitHub rolls out a new License Compliance tool in public preview to help organizations manage open-source dependencies and prevent costly license violations.

GitHub has introduced a new feature, License Compliance, currently in public preview for its Advanced Security customers. This tool is designed to streamline the management of open-source dependencies within organizations, proactively identifying potential license violations and ensuring adherence to internal compliance policies. The feature aims to mitigate the risks of legal disputes and reputational damage that can arise from non-compliance with open-source licenses.
The License Compliance feature allows organizations to review new dependencies introduced in pull requests. It verifies that these dependencies comply with established organizational policies and provides a mechanism to approve new licenses or specific package exceptions when necessary. GitHub Enterprise Cloud customers with an active GitHub Advanced Security (GHAS) Code Security license can utilize this tool across their repositories. "Nearly all software carries some kind of license agreement," explained Jeff Luszcz and Eric Sorenson, Product Managers at GitHub. "The license gives you permission to use a project, provided you comply with its obligations. Those obligations may be as simple as giving credit to the original author in your documentation, or they may require you to distribute all your source code when shipping your program."
GitHub emphasizes that organizations unable to meet a dependency's license obligations should avoid using it, as replacing it later can incur significant engineering costs. For enterprise software, noncompliance can escalate into costly legal battles and damage a company's reputation. To address this, the feature enables the creation of robust license policies.
GitHub's own Open Source Program Office (OSPO) has been an early adopter, transitioning from internally developed tools to the new License Compliance feature two months prior to its public preview. This early adoption allowed the OSPO team to provide valuable feedback, helping to refine the tool for large enterprises with complex compliance needs. Initially, the OSPO established a policy based on a list of acceptable licenses, such as MIT, Apache 2.0, and BSD-3-Clause, which are common among permissive open-source projects.
The feature was initially rolled out in an 'Evaluate' mode using an organization-wide ruleset. This approach generated annotations in pull requests without blocking merges, allowing developers to familiarize themselves with the new workflow. After approximately a month, most alerts highlighted packages with unusual, missing, or explicitly disallowed licenses. The system scans both direct and indirect dependencies against the organization's defined compliance policies.
When a non-compliant license is detected, the feature alerts the pull request, identifying the problematic package. Developers then have the option to remove or replace the dependency. Alternatively, they can submit an exception request if they believe the package should be permitted. This request is then reviewed by the organization's policy review team, who decide whether to approve the package, approve it for a specific repository, or update the overall license policy. Common licenses with low compliance risk can be approved universally, while commercial licenses often require repository-specific approvals tied to team purchases. Package-specific exceptions can also be created for internal software that may lack clear licensing information.
To expedite the review process, GitHub has organized its license review team across multiple time zones and is establishing a formal service-level agreement, aiming for most license requests to be reviewed within hours. Reviewers receive email notifications and can track pending requests via a dashboard. Procedures are in place for emergency overrides on time-sensitive pull requests, including the ability to temporarily switch a repository from 'Active' to 'Evaluate' mode to allow critical fixes to proceed while license issues are addressed.