Open-Source Wikis

/

Trivy

/

Features

/

License scanning

aquasecurity/trivy

License scanning

Active contributors: knqyf263, DmitriyLewen

Purpose

License scanning identifies the license of every detected dependency and surfaces ones that conflict with a configured allow/deny policy. It pulls license declarations from package metadata where possible (e.g., package.json license field, .gemspec, Maven POM, RPM headers, dpkg copyright) and falls back to a license classifier when the metadata is missing or ambiguous.

How it works

Two analyzers feed license data:

  • Package-manager analyzers — most language and OS analyzers populate the License field of each detected package directly from manifest data. For example, the npm analyzer reads license from package-lock.json lockfile entries.
  • License-file analyzer (pkg/fanal/analyzer/licensing/) — explicitly runs a classifier over license files in the repository (LICENSE, LICENSE.txt, COPYING, etc.).

The license classifier in pkg/licensing/ is a thin wrapper around google/licenseclassifier. Behind the --license-full flag the classifier scans the entire content of each candidate license file for higher accuracy at the cost of speed.

graph LR
    Walker[fanal walker] --> PkgA[package analyzers]
    Walker --> LicA[license-file analyzer]
    PkgA -->|License from manifest| Pkg[Package.License]
    LicA --> Classifier[google/licenseclassifier]
    Classifier --> Norm[license normalization]
    Pkg --> Norm
    Norm --> Filter[allowed/denied policy]
    Filter --> Result[Result.Licenses]

pkg/licensing/ also normalizes license strings into SPDX identifiers where possible (Apache 2.0Apache-2.0).

Configuration

Flag Purpose
--scanners license Enable license scanning.
--license-full Classify the full file content (slower, more accurate).
--license-confidence-level Minimum confidence for the classifier (0.0–1.0).
--ignored-licenses Licenses to suppress.
--license-categories Restrict severity per category. The flag layer in pkg/flag/license_flags.go exposes forbidden, restricted, reciprocal, notice, permissive, unencumbered, unknown.

The category-to-severity mapping is built into pkg/licensing/; users typically tune --ignored-licenses rather than changing categories.

Output

License findings live in types.Result.Licenses. Each carries:

  • Severity (HIGH, MEDIUM, LOW, UNKNOWN).
  • Category (forbidden, restricted, reciprocal, notice, permissive, unencumbered, unknown).
  • PkgName and FilePath for the source.
  • Name (the license identifier).
  • Confidence (0.0–1.0 from the classifier when applicable).

Integration points

  • fanal — both analyzer kinds (package-manager and license-file) are regular analyzers.
  • Vulnerability scanning — packages discovered by language analyzers are also the source of license data.
  • SBOM — licenses are carried in CycloneDX/SPDX output.

Entry points for modification

  • Change a category mappingpkg/licensing/ has the SPDX-to-category table.
  • Improve classificationpkg/fanal/analyzer/licensing/ controls how license files are detected and read.
  • Add a built-in license — typically not required: SPDX is the source of truth; new licenses come from licenseclassifier upstream.

Key source files

File Purpose
pkg/licensing/ Classifier wrapper, normalization, category mapping.
pkg/fanal/analyzer/licensing/ License-file analyzer.
pkg/fanal/analyzer/language/<lang>/ Per-language manifest license extraction.
pkg/types/license.go License finding type.
pkg/flag/license_flags.go License-related flags.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

License scanning – Trivy wiki | Factory