Custom License and Keyword Search
Defining custom phrases to be flagged in CI/CD or CLI scans.
FOSSA has quite a large database of licenses, but we can't cover every scenario. Instead, we give you the power to define which strings you'd like to be declared or flagged.
Custom License Scans
Configuring Org-Wide Scans
Starting with the more configurable of the two, Custom License Scans can be set in-app, on app.fossa.com, or through a .fossa.yml configuration file.
Settings configured through the UI will be org-wide, while the config file will limit the scope to that particular project.
Taking a look at the UI, the Custom License Scan page is available from the "Integrations" tab of the Org Settings:
Anything created here will be applied to every scan, org-wide, unless the --ignore-org-wide-custom-license-scan-configsflag is used. This flag can be helpful if you're experiencing an issue with the custom scan holding up your build, for example, if you're analyzing an internal project that doesn't need to meet the strict criteria.
When clicking add, you can define a name, and a match criteria. The match criteria field supports regex, and you can find our extended Regex Syntax documentation here.
Testing Org-Wide Scans
Running fossa analyze will look for matches within your code. If found, the path and line containing the match will be displayed in the Scan Summary:
If you had any Keyword searches configured, this is also where they'd appear.
In FOSSA, we can see that a Custom License was found and reported in our project:
Clicking into the license will reveal the files containing Custom Licenses, and clicking into the files will display matches:
The License Titles will appear in reports, but the contents will not. It's suggested to make the titles as descriptive as possible to ensure those who are looking at the report will understand what the purpose of the identification or declaration is.
Adding Raw License Text
If you'd like the license contents appear in reports, you can visit the Licenses tab, then click "Edit" to modify the found licenses. From here, we can edit each license and add Raw License Text, which will appear in a report alongside each license.e
The above example is a screenshot of our HTML report. You can see the benefits of including the Raw License Text.
Configuring Project-Scoped Custom License Scans
You can also configure Custom License Scans per-project, by utilizing the .fossa.yml file.
This is good for team-based policies, since it won't be enforced org-wide.
customLicenseSearch:
- matchCriteria: (?i)this is a proprietary company license
name: Company License
The above will flag and report Company License in your project when it finds a match for the search criteria.
Keyword Search
Using keyword search is a also a great way to immediately warn of any matches in the CLI.
You could potentially use this to alert you to sensitive data being leaked. Say you have an API key that you don't want to be pushed to a public project. Adding the following, would show a warning in CLI or CI/CD runs.
experimentalKeywordSearch:
- matchCriteria: api_key
name: API Key Found
Which would lead to:
Scan Summary
------------
1 projects scanned; 0 skipped, 1 succeeded, 0 failed, 1 analysis warnings
-
* Keyword Search: succeeded with 2 warnings
** API Key Found - /docs/Custom License Scan/path/to/sensitive-file.yml (lines 1-1)
You can pair this with the --output flag, which outputs FOSSA CLI's findings locally, to keep the results entirely offline.
Expanded Documentation
Prefer a detailed explanation?
- View our complete Custom License and Keyword Search docs on GitHub
- Dig into our Regular Expression Syntax for Custom License and Keyword Searches
Updated 3 months ago