License Scanning
Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
License are classified using the Google License Classification -
- Forbidden
- Restricted
- Reciprocal
- Notice
- Permissive
- Unencumbered
- Unknown
Tip
Licenses that Trivy fails to recognize are classified as UNKNOWN. As those licenses may be in violation, it is recommended to check those unknown licenses as well.
By default, Trivy scans licenses for packages installed by apk
, apt-get
, dnf
, npm
, pip
, gem
, etc.
To enable extended license scanning, you can use --license-full
.
In addition to package licenses, Trivy scans source code files, Markdown documents, text files and LICENSE
documents to identify license usage within the image or filesystem.
Note
The full license scanning is expensive. It takes a while.
Currently, the standard license scanning doesn't support filesystem and repository scanning.
License scnanning | Image | Rootfs | Filesystem | Repository |
---|---|---|---|---|
Standard | ✅ | ✅ | - | - |
Full (--license-full) | ✅ | ✅ | ✅ | ✅ |
License checking classifies the identified licenses and map the classification to severity.
Classification | Severity |
---|---|
Forbidden | CRITICAL |
Restricted | HIGH |
Reciprocal | MEDIUM |
Notice | LOW |
Permissive | LOW |
Unencumbered | LOW |
Unknown | UNKNOWN |
Quick start
This section shows how to scan license in container image and filesystem.
Standard scanning
Specify an image name with --security-cheks license
.
$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2022-07-13T17:28:39.526+0300 INFO License scanning is enabled
OS Packages (license)
=====================
Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
┌───────────────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├───────────────────┼─────────┼────────────────┼──────────┤
│ alpine-baselayout │ GPL-2.0 │ Restricted │ HIGH │
├───────────────────┤ │ │ │
│ apk-tools │ │ │ │
├───────────────────┤ │ │ │
│ busybox │ │ │ │
├───────────────────┤ │ │ │
│ musl-utils │ │ │ │
├───────────────────┤ │ │ │
│ scanelf │ │ │ │
├───────────────────┤ │ │ │
│ ssl_client │ │ │ │
└───────────────────┴─────────┴────────────────┴──────────┘
Full scanning
Specify --license-full
$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled
OS Packages (license)
=====================
Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
┌───────────────────┬───────────────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├───────────────────┼───────────────────┼────────────────┼──────────┤
│ alpine-baselayout │ GPL-2.0 │ Restricted │ HIGH │
├───────────────────┤ │ │ │
│ apk-tools │ │ │ │
├───────────────────┼───────────────────┤ │ │
│ bash │ GPL-3.0 │ │ │
├───────────────────┼───────────────────┼────────────────┼──────────┤
│ keyutils-libs │ GPL-2.0 │ Restricted │ HIGH │
│ ├───────────────────┼────────────────┼──────────┤
│ │ LGPL-2.0-or-later │ Non Standard │ UNKNOWN │
├───────────────────┼───────────────────┤ │ │
│ libaio │ LGPL-2.1-or-later │ │ │
├───────────────────┼───────────────────┼────────────────┼──────────┤
│ libcom_err │ GPL-2.0 │ Restricted │ HIGH │
│ ├───────────────────┼────────────────┼──────────┤
│ │ LGPL-2.0-or-later │ Non Standard │ UNKNOWN │
├───────────────────┼───────────────────┼────────────────┼──────────┤
│ tzdata │ Public-Domain │ Non Standard │ UNKNOWN │
└───────────────────┴───────────────────┴────────────────┴──────────┘
Loose File License(s) (license)
===============================
Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
│ Classification │ Severity │ License │ File Location │
├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
│ Forbidden │ CRITICAL │ AGPL-3.0 │ /usr/share/grafana/LICENSE │
│ │ │ │ │
│ │ │ │ │
├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
│ Non Standard │ UNKNOWN │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
│ │ │ │ s.LICENSE.txt │
│ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ │ │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
│ │ │ │ s.LICENSE.txt │
│ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ │ │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
│ │ │ │ s.LICENSE.txt │
│ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ │ │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
│ │ │ │ 41a80.js.LICENSE.txt │
└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
Configuration
Trivy has number of configuration flags for use with license scanning;
Ignored Licenses
Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the --ignored-licenses
flag;
$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
2022-07-13T18:15:28.605Z INFO License scanning is enabled
OS Packages (license)
=====================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌───────────────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├───────────────────┼─────────┼────────────────┼──────────┤
│ alpine-baselayout │ GPL-2.0 │ Restricted │ HIGH │
├───────────────────┤ │ │ │
│ ssl_client │ │ │ │
└───────────────────┴─────────┴────────────────┴──────────┘
Custom Classification
You can generate the default config by the --generate-default-config
flag and customize the license classification.
For example, if you want to forbid only AGPL-3.0, you can leave it under forbidden
and move other licenses to another classification.
$ trivy image --generate-default-config
$ vim trivy.yaml
license:
forbidden:
- AGPL-3.0
restricted:
- AGPL-1.0
- CC-BY-NC-1.0
- CC-BY-NC-2.0
- CC-BY-NC-2.5
- CC-BY-NC-3.0
- CC-BY-NC-4.0
- CC-BY-NC-ND-1.0
- CC-BY-NC-ND-2.0
- CC-BY-NC-ND-2.5
- CC-BY-NC-ND-3.0
- CC-BY-NC-ND-4.0
- CC-BY-NC-SA-1.0
- CC-BY-NC-SA-2.0
- CC-BY-NC-SA-2.5
- CC-BY-NC-SA-3.0
- CC-BY-NC-SA-4.0
- Commons-Clause
- Facebook-2-Clause
- Facebook-3-Clause
- Facebook-Examples
- WTFPL
- BCL
- CC-BY-ND-1.0
- CC-BY-ND-2.0
- CC-BY-ND-2.5
- CC-BY-ND-3.0
- CC-BY-ND-4.0
- CC-BY-SA-1.0
- CC-BY-SA-2.0
- CC-BY-SA-2.5
- CC-BY-SA-3.0
- CC-BY-SA-4.0
- GPL-1.0
- GPL-2.0
- GPL-2.0-with-autoconf-exception
- GPL-2.0-with-bison-exception
- GPL-2.0-with-classpath-exception
- GPL-2.0-with-font-exception
- GPL-2.0-with-GCC-exception
- GPL-3.0
- GPL-3.0-with-autoconf-exception
- GPL-3.0-with-GCC-exception
- LGPL-2.0
- LGPL-2.1
- LGPL-3.0
- NPL-1.0
- NPL-1.1
- OSL-1.0
- OSL-1.1
- OSL-2.0
- OSL-2.1
- OSL-3.0
- QPL-1.0
- Sleepycat
reciprocal:
- APSL-1.0
- APSL-1.1
- APSL-1.2
- APSL-2.0
- CDDL-1.0
- CDDL-1.1
- CPL-1.0
- EPL-1.0
- EPL-2.0
- FreeImage
- IPL-1.0
- MPL-1.0
- MPL-1.1
- MPL-2.0
- Ruby
notice:
- AFL-1.1
- AFL-1.2
- AFL-2.0
- AFL-2.1
- AFL-3.0
- Apache-1.0
- Apache-1.1
- Apache-2.0
- Artistic-1.0-cl8
- Artistic-1.0-Perl
- Artistic-1.0
- Artistic-2.0
- BSL-1.0
- BSD-2-Clause-FreeBSD
- BSD-2-Clause-NetBSD
- BSD-2-Clause
- BSD-3-Clause-Attribution
- BSD-3-Clause-Clear
- BSD-3-Clause-LBNL
- BSD-3-Clause
- BSD-4-Clause
- BSD-4-Clause-UC
- BSD-Protection
- CC-BY-1.0
- CC-BY-2.0
- CC-BY-2.5
- CC-BY-3.0
- CC-BY-4.0
- FTL
- ISC
- ImageMagick
- Libpng
- Lil-1.0
- Linux-OpenIB
- LPL-1.02
- LPL-1.0
- MS-PL
- MIT
- NCSA
- OpenSSL
- PHP-3.01
- PHP-3.0
- PIL
- Python-2.0
- Python-2.0-complete
- PostgreSQL
- SGI-B-1.0
- SGI-B-1.1
- SGI-B-2.0
- Unicode-DFS-2015
- Unicode-DFS-2016
- Unicode-TOU
- UPL-1.0
- W3C-19980720
- W3C-20150513
- W3C
- X11
- Xnet
- Zend-2.0
- zlib-acknowledgement
- Zlib
- ZPL-1.1
- ZPL-2.0
- ZPL-2.1
unencumbered:
- CC0-1.0
- Unlicense
- 0BSD
permissive: []