SOOS allows you to create policies or rules around the packages and licenses you want (or don't want) included in your code. Once a policy is created, a policy violation warning will be generated any time a scan detects a package that violates the policy. Manage your open source risk by creating restrictions on the packages and licenses your team is pulling in through the SOOS policy engine.
- From your SOOS dashboard, select Governance from the left navigation.
- All existing policies will display as a list. Use the Project dropdown to view global and/or project-level policies.
- Select the desired policy type from the list and '+' to create a new policy.
- All policies for the selected policy type will display here in a list.
- For example - To create a policy that will generate violations when packages associated with particular licenses are detected, use the License Name policy type.
- Indicate a name and scope (global or project level) for the policy and select the desired policy definition criteria.
- For License Name policies only: Define if this will be an 'allow' or 'disallow' policy before setting the policy definition criteria.
- Create an 'allow' list to identify a distinct list of licenses that are acceptable. Any license detected that is not in this list will generate a violation.
- Use a 'disallow' list to identify distinct licenses that are not acceptable. Any license detected that is within a disallow list will generate a violation.
- For License Name policies only: Define if this will be an 'allow' or 'disallow' policy before setting the policy definition criteria.
- Select the desired severity for violations associated with this policy.
- Indicate the desired behavior for when the policy is violated.
- You have the option to "fail the policy" (aka generate a policy violation issue) if data related to the policy definition is missing (such as a missing license).
- You can also opt not to fail, which is the default selection.
- You can also opt not to fail, which is the default selection.
- You have the option to "fail the policy" (aka generate a policy violation issue) if data related to the policy definition is missing (such as a missing license).
- Saving a policy will add it to your Governance "All policies" list. From there, you can always edit or delete the policy.
- Once a policy is created, SOOS will start to alert you of any policy violations found during subsequent project scans.