License ScanningΒΆ
Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
License are classified using the Google License Classification -
- Forbidden
- Restricted
- Reciprocal
- Notice
- Permissive
- Unencumbered
- Unknown
Tip
Licenses that Trivy fails to recognize are classified as UNKNOWN. As those licenses may be in violation, it is recommended to check those unknown licenses as well.
By default, Trivy scans licenses for packages installed by apk, apt-get, dnf, npm, pip, gem, etc.
Check out the coverage document for details.
To enable extended license scanning, you can use --license-full.
In addition to package licenses, Trivy scans source code files, Markdown documents, text files and LICENSE documents to identify license usage within the image or filesystem.
By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
To configure the confidence level, you can use --license-confidence-level. This enables us to classify licenses that might be matched with a lower confidence level by the classifier.
Note
The full license scanning is expensive. It takes a while.
| License scanning | Image | Rootfs | Filesystem | Repository | SBOM |
|---|---|---|---|---|---|
| Standard | β | β | β 12 | β 12 | β |
| Full (--license-full) | β | β | β | β | - |
License checking classifies the identified licenses and map the classification to severity.
| Classification | Severity |
|---|---|
| Forbidden | CRITICAL |
| Restricted | HIGH |
| Reciprocal | MEDIUM |
| Notice | LOW |
| Permissive | LOW |
| Unencumbered | LOW |
| Unknown | UNKNOWN |
Quick startΒΆ
This section shows how to scan license in container image and filesystem.
Standard scanningΒΆ
Specify an image name with --scanners license.
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2022-07-13T17:28:39.526+0300 INFO License scanning is enabled
OS Packages (license)
=====================
Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
βββββββββββββββββββββ¬ββββββββββ¬βββββββββββββββββ¬βββββββββββ
β Package β License β Classification β Severity β
βββββββββββββββββββββΌββββββββββΌβββββββββββββββββΌβββββββββββ€
β alpine-baselayout β GPL-2.0 β Restricted β HIGH β
βββββββββββββββββββββ€ β β β
β apk-tools β β β β
βββββββββββββββββββββ€ β β β
β busybox β β β β
βββββββββββββββββββββ€ β β β
β musl-utils β β β β
βββββββββββββββββββββ€ β β β
β scanelf β β β β
βββββββββββββββββββββ€ β β β
β ssl_client β β β β
βββββββββββββββββββββ΄ββββββββββ΄βββββββββββββββββ΄βββββββββββ
Full scanningΒΆ
Specify --license-full
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled
OS Packages (license)
=====================
Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
βββββββββββββββββββββ¬ββββββββββββββββββββ¬βββββββββββββββββ¬βββββββββββ
β Package β License β Classification β Severity β
βββββββββββββββββββββΌββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β alpine-baselayout β GPL-2.0 β Restricted β HIGH β
βββββββββββββββββββββ€ β β β
β apk-tools β β β β
βββββββββββββββββββββΌββββββββββββββββββββ€ β β
β bash β GPL-3.0 β β β
βββββββββββββββββββββΌββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β keyutils-libs β GPL-2.0 β Restricted β HIGH β
β βββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β β LGPL-2.0-or-later β Non Standard β UNKNOWN β
βββββββββββββββββββββΌββββββββββββββββββββ€ β β
β libaio β LGPL-2.1-or-later β β β
βββββββββββββββββββββΌββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β libcom_err β GPL-2.0 β Restricted β HIGH β
β βββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β β LGPL-2.0-or-later β Non Standard β UNKNOWN β
βββββββββββββββββββββΌββββββββββββββββββββΌβββββββββββββββββΌβββββββββββ€
β tzdata β Public-Domain β Non Standard β UNKNOWN β
βββββββββββββββββββββ΄ββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββ
Loose File License(s) (license)
===============================
Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
ββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Classification β Severity β License β File Location β
ββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Forbidden β CRITICAL β AGPL-3.0 β /usr/share/grafana/LICENSE β
β β β β β
β β β β β
ββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Non Standard β UNKNOWN β BSD-0-Clause β /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- β
β β β β s.LICENSE.txt β
β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β β β /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- β
β β β β s.LICENSE.txt β
β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β β β /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- β
β β β β s.LICENSE.txt β
β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β β β /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- β
β β β β 41a80.js.LICENSE.txt β
ββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ConfigurationΒΆ
Trivy has number of configuration flags for use with license scanning;
Ignored LicensesΒΆ
Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the --ignored-licenses flag;
$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity HIGH grafana/grafana:latest
2022-07-13T18:15:28.605Z INFO License scanning is enabled
OS Packages (license)
=====================
Total: 2 (HIGH: 2, CRITICAL: 0)
βββββββββββββββββββββ¬ββββββββββ¬βββββββββββββββββ¬βββββββββββ
β Package β License β Classification β Severity β
βββββββββββββββββββββΌββββββββββΌβββββββββββββββββΌβββββββββββ€
β alpine-baselayout β GPL-2.0 β Restricted β HIGH β
βββββββββββββββββββββ€ β β β
β ssl_client β β β β
βββββββββββββββββββββ΄ββββββββββ΄βββββββββββββββββ΄βββββββββββ
Configuring Classifier Confidence LevelΒΆ
You can use the --license-confidence-level flag to adjust the confidence level between 0.0 to 1.0 (default 0.9).
For example, when you run the scanner with the default confidence level on SPDX license list data, it is able to detect only 258 licenses.
$ trivy fs --scanners license --license-full <path/to/spdx/list/data>
2023-04-18T10:05:13.601-0700 INFO Full license scanning is enabled
Loose File License(s) (license)
===============================
Total: 258 (UNKNOWN: 70, LOW: 90, MEDIUM: 18, HIGH: 58, CRITICAL: 22)
However, by configuring the confidence level to 0.8, the scanner is now able to detect 282 licenses.
$ trivy fs --scanners license --license-full --license-confidence-level 0.8 <path/to/spdx/list/data>
2023-04-18T10:21:39.637-0700 INFO Full license scanning is enabled
Loose File License(s) (license)
===============================
Total: 282 (UNKNOWN: 81, LOW: 97, MEDIUM: 24, HIGH: 58, CRITICAL: 22)
Custom ClassificationΒΆ
You can generate the default config by the --generate-default-config flag and customize the license classification.
For example, if you want to forbid only AGPL-3.0, you can leave it under forbidden and move other licenses to another classification.
$ trivy image --generate-default-config
$ vim trivy.yaml
license:
forbidden:
- AGPL-3.0
restricted:
- AGPL-1.0
- CC-BY-NC-1.0
- CC-BY-NC-2.0
- CC-BY-NC-2.5
- CC-BY-NC-3.0
- CC-BY-NC-4.0
- CC-BY-NC-ND-1.0
- CC-BY-NC-ND-2.0
- CC-BY-NC-ND-2.5
- CC-BY-NC-ND-3.0
- CC-BY-NC-ND-4.0
- CC-BY-NC-SA-1.0
- CC-BY-NC-SA-2.0
- CC-BY-NC-SA-2.5
- CC-BY-NC-SA-3.0
- CC-BY-NC-SA-4.0
- Commons-Clause
- Facebook-2-Clause
- Facebook-3-Clause
- Facebook-Examples
- WTFPL
- BCL
- CC-BY-ND-1.0
- CC-BY-ND-2.0
- CC-BY-ND-2.5
- CC-BY-ND-3.0
- CC-BY-ND-4.0
- CC-BY-SA-1.0
- CC-BY-SA-2.0
- CC-BY-SA-2.5
- CC-BY-SA-3.0
- CC-BY-SA-4.0
- GPL-1.0
- GPL-2.0
- GPL-2.0-with-autoconf-exception
- GPL-2.0-with-bison-exception
- GPL-2.0-with-classpath-exception
- GPL-2.0-with-font-exception
- GPL-2.0-with-GCC-exception
- GPL-3.0
- GPL-3.0-with-autoconf-exception
- GPL-3.0-with-GCC-exception
- LGPL-2.0
- LGPL-2.1
- LGPL-3.0
- NPL-1.0
- NPL-1.1
- OSL-1.0
- OSL-1.1
- OSL-2.0
- OSL-2.1
- OSL-3.0
- QPL-1.0
- Sleepycat
reciprocal:
- APSL-1.0
- APSL-1.1
- APSL-1.2
- APSL-2.0
- CDDL-1.0
- CDDL-1.1
- CPL-1.0
- EPL-1.0
- EPL-2.0
- FreeImage
- IPL-1.0
- MPL-1.0
- MPL-1.1
- MPL-2.0
- Ruby
notice:
- AFL-1.1
- AFL-1.2
- AFL-2.0
- AFL-2.1
- AFL-3.0
- Apache-1.0
- Apache-1.1
- Apache-2.0
- Artistic-1.0-cl8
- Artistic-1.0-Perl
- Artistic-1.0
- Artistic-2.0
- BSL-1.0
- BSD-2-Clause-FreeBSD
- BSD-2-Clause-NetBSD
- BSD-2-Clause
- BSD-3-Clause-Attribution
- BSD-3-Clause-Clear
- BSD-3-Clause-LBNL
- BSD-3-Clause
- BSD-4-Clause
- BSD-4-Clause-UC
- BSD-Protection
- CC-BY-1.0
- CC-BY-2.0
- CC-BY-2.5
- CC-BY-3.0
- CC-BY-4.0
- FTL
- ISC
- ImageMagick
- Libpng
- Lil-1.0
- Linux-OpenIB
- LPL-1.02
- LPL-1.0
- MS-PL
- MIT
- NCSA
- OpenSSL
- PHP-3.01
- PHP-3.0
- PIL
- Python-2.0
- Python-2.0-complete
- PostgreSQL
- SGI-B-1.0
- SGI-B-1.1
- SGI-B-2.0
- Unicode-DFS-2015
- Unicode-DFS-2016
- Unicode-TOU
- UPL-1.0
- W3C-19980720
- W3C-20150513
- W3C
- X11
- Xnet
- Zend-2.0
- zlib-acknowledgement
- Zlib
- ZPL-1.1
- ZPL-2.0
- ZPL-2.1
unencumbered:
- CC0-1.0
- Unlicense
- 0BSD
permissive: []