SOOS allows you to create policies or rules around the packages and licenses you want (or don't want) included in your code.  Once a policy is created, a policy violation warning will be generated any time a scan detects a package that violates the policy.  Manage your open source risk by creating restrictions on the packages and licenses your team is pulling in through the SOOS policy engine. 

  • From your SOOS dashboard, select Governance from the left navigation. 
    • All existing policies will display as a list.  Use the Project dropdown to view global and/or project-level policies.

 

  • Select the desired policy type from the list and '+' to create a new policy.
    • All policies for the selected policy type will display here in a list.
    • For example - To create a policy that will generate violations when packages associated with particular licenses are detected, use the License Name policy type.

  • Indicate a name and scope (global or project level) for the policy and select the desired policy definition criteria.
    • For License Name policies only: Define if this will be an 'allow' or 'disallow' policy before setting the policy definition criteria.
      • Create an 'allow' list to identify a distinct list of licenses that are acceptable.  Any license detected that is not in this list will generate a violation.
      • Use a 'disallow' list to identify distinct licenses that are not acceptable.  Any license detected that is within a disallow list will generate a violation.

  • Select the desired severity for violations associated with this policy.
  • Indicate the desired behavior for when the policy is violated.
    • You have the option to "fail the policy" (aka generate a policy violation issue) if data related to the policy definition is missing (such as a missing license). 
      • You can also opt not to fail, which is the default selection.

  • Saving a policy will add it to your Governance "All policies" list.  From there, you can always edit or delete the policy.

  • Once a policy is created, SOOS will start to alert you of any policy violations found during subsequent project scans.