aquasecurity/trivy
License scanning
Active contributors: knqyf263, DmitriyLewen
Purpose
License scanning identifies the license of every detected dependency and surfaces ones that conflict with a configured allow/deny policy. It pulls license declarations from package metadata where possible (e.g., package.json license field, .gemspec, Maven POM, RPM headers, dpkg copyright) and falls back to a license classifier when the metadata is missing or ambiguous.
How it works
Two analyzers feed license data:
- Package-manager analyzers — most language and OS analyzers populate the
Licensefield of each detected package directly from manifest data. For example, thenpmanalyzer readslicensefrompackage-lock.jsonlockfile entries. - License-file analyzer (
pkg/fanal/analyzer/licensing/) — explicitly runs a classifier over license files in the repository (LICENSE,LICENSE.txt,COPYING, etc.).
The license classifier in pkg/licensing/ is a thin wrapper around google/licenseclassifier. Behind the --license-full flag the classifier scans the entire content of each candidate license file for higher accuracy at the cost of speed.
graph LR
Walker[fanal walker] --> PkgA[package analyzers]
Walker --> LicA[license-file analyzer]
PkgA -->|License from manifest| Pkg[Package.License]
LicA --> Classifier[google/licenseclassifier]
Classifier --> Norm[license normalization]
Pkg --> Norm
Norm --> Filter[allowed/denied policy]
Filter --> Result[Result.Licenses]pkg/licensing/ also normalizes license strings into SPDX identifiers where possible (Apache 2.0 → Apache-2.0).
Configuration
| Flag | Purpose |
|---|---|
--scanners license |
Enable license scanning. |
--license-full |
Classify the full file content (slower, more accurate). |
--license-confidence-level |
Minimum confidence for the classifier (0.0–1.0). |
--ignored-licenses |
Licenses to suppress. |
--license-categories |
Restrict severity per category. The flag layer in pkg/flag/license_flags.go exposes forbidden, restricted, reciprocal, notice, permissive, unencumbered, unknown. |
The category-to-severity mapping is built into pkg/licensing/; users typically tune --ignored-licenses rather than changing categories.
Output
License findings live in types.Result.Licenses. Each carries:
Severity(HIGH,MEDIUM,LOW,UNKNOWN).Category(forbidden,restricted,reciprocal,notice,permissive,unencumbered,unknown).PkgNameandFilePathfor the source.Name(the license identifier).Confidence(0.0–1.0 from the classifier when applicable).
Integration points
- fanal — both analyzer kinds (package-manager and license-file) are regular analyzers.
- Vulnerability scanning — packages discovered by language analyzers are also the source of license data.
- SBOM — licenses are carried in CycloneDX/SPDX output.
Entry points for modification
- Change a category mapping —
pkg/licensing/has the SPDX-to-category table. - Improve classification —
pkg/fanal/analyzer/licensing/controls how license files are detected and read. - Add a built-in license — typically not required: SPDX is the source of truth; new licenses come from
licenseclassifierupstream.
Key source files
| File | Purpose |
|---|---|
pkg/licensing/ |
Classifier wrapper, normalization, category mapping. |
pkg/fanal/analyzer/licensing/ |
License-file analyzer. |
pkg/fanal/analyzer/language/<lang>/ |
Per-language manifest license extraction. |
pkg/types/license.go |
License finding type. |
pkg/flag/license_flags.go |
License-related flags. |
See also
- SBOM — license data is part of the SBOM.
- Vulnerability scanning — sibling feature on the same packages.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.