License Allowlist (Policy + Starter JSON)

Scope & Intent

• Apply a minimal, clear software license policy: start WARN, move to ENFORCE after review.
• Use with your SBOM + license scan step (see book Chapter 3).

Policy (baseline)

• Allowed (examples): MIT, BSD-2/3, Apache-2.0, ISC
• Review: MPL-2.0, EPL-2.0, LGPL-2.1/3.0 (case-by-case)
• Disallowed: GPL-2.0-only, GPL-3.0-only, AGPL-3.0-only (unless legal approves)

Tune these lists with legal counsel. This page is a starter, not legal advice.

Starter allowlist JSON

Save as policy/license-allowlist.json (or download the starter).

{
  "allow": ["MIT", "BSD-2-Clause", "BSD-3-Clause", "Apache-2.0", "ISC"],
  "review": ["MPL-2.0", "EPL-2.0", "LGPL-2.1-only", "LGPL-3.0-only"],
  "deny": ["GPL-2.0-only", "GPL-3.0-only", "AGPL-3.0-only"]
}

Makefile integration (pattern)

• Run your license scan to artifacts/license-scan.txt
• Gate in WARN first; later ENFORCE by grepping for DISALLOWED

license-scan:
	@python3 scripts/licenses_check.py
	@echo "📜 Wrote artifacts/license-scan.txt"

license-gate: license-scan
	@if [ "$${PROMOTE_BLOCK:-0}" = "1" ]; then \
	  grep -q "DISALLOWED" artifacts/license-scan.txt && \
	  echo "❌ License gate failed (see artifacts/license-scan.txt)" && exit 2 || \
	  echo "✅ License gate passed"; \
	else echo "ℹ️ License gate in WARN mode (set PROMOTE_BLOCK=1 to enforce)"; fi

Review cadence

• Monthly review with Security + Legal; exceptions documented and time-boxed.