Overview

A policy in FOSSA is a collection of rules that enables control over which issues are created in your project for licenses and dependencies (projects). You can think of policies like license firewalls for your project.

Rules

A rule is a restriction built around licenses and/or projects. You may deny, flag, or approve any license or dependency that can be used with your project.

DENY:
When you deny a dependency or license from being included in your project this will tell the issue scanners to create an issue that requires the license or dependency to be removed somehow. Example:

Deny rules exampleDeny rules example

Deny rules example

FLAG:
When you flag a dependency or license if it is included with your project this will tell the issue scanners to create an issue that requires manual approval. Example:

Flag rules exampleFlag rules example

Flag rules example

APPROVE:
When you allow a dependency or license to be included with your project this tells the issue scanners to never create issues for the chosen dependency or license. Example:

Approve rules exampleApprove rules example

Approve rules example

Pre-installed Policies

FOSSA comes equipped with 3 standard, editable policies that we've drafted with top industry lawyers. Many of our customers rely on them out of the box:

1) Standard Bundle Distribution: Recommended for software deployed on on-premises. E.G. Apache Hadoop.

2) Single-Binary Distribution: Recommended for embedded software. E.G. A mobile app.

3) Website/Hosted Service: Recommended for websites. E.G. fossa.io.

Customizing Policies

You can create or manage your own Policies through the policies page.

To create a policy, click the CREATE POLICY button in the policies section.

Fill out a title and description. You can optionally choose a template to start this policy with.

To add a rule, click the Add Rule button over Deny, Flag for Review, or Approve panels.

Choose whether the rule will apply to a license or project (dependency) and fill out which you would like to apply the rule to.

Switching projects over to a new policy

🚧

Important note about .fossa.yml files

Currently, once a project been created, changing the policy: field in a .fossa.yml file for the project will not change the policy, the reasons for which are addressed in the FAQ.

To update the policy, access the project settings for the project you would like to update.

[Image: A screenshot of the FOSSA project summary page, with a red circle highlighting the Settings tab][Image: A screenshot of the FOSSA project summary page, with a red circle highlighting the Settings tab]

[Image: A screenshot of the FOSSA project summary page, with a red circle highlighting the Settings tab]

Then, select the Issues tab within the settings navigation bar.

[Image: A screenshot of the FOSSA project settings, with the Issues settings opened, as well as the button to access the Issues setting circled in red][Image: A screenshot of the FOSSA project settings, with the Issues settings opened, as well as the button to access the Issues setting circled in red]

[Image: A screenshot of the FOSSA project settings, with the Issues settings opened, as well as the button to access the Issues setting circled in red]

Then, scroll down and select the appropriate policy(/ies) for your project.

[Image: A screenshot of the FOSSA project settings, showing the selection menus for various scan policies][Image: A screenshot of the FOSSA project settings, showing the selection menus for various scan policies]

[Image: A screenshot of the FOSSA project settings, showing the selection menus for various scan policies]