License Scanning

Learn how to scan container images and filesystems for software licenses covering detection, compliance checking, and managing license obligations.

License scanning involves automatically identifying and analyzing the licenses associated with the various software components used in a project.

This is important because most software relies on third-party and open-source components, each with its own licensing terms that dictate how the software can be used, modified, and distributed, and failing to comply can lead to legal issues.

Grant is an open-source command-line tool designed to discover and report on the software licenses present in container images, SBOM documents, or filesystems. It helps users understand the licenses of their software dependencies and can check them against user-defined policies to ensure compliance.

1 - Getting Started

License Scanning Getting Started

Introduction

Grant searches SBOMs for licenses and the packages they belong to.

Install the latest Grant release

Grant is provided as a single compiled executable. Issue the command for your platform to download the latest release of Grant. The full list of official and community maintained packages can be found on the installation page.

Note

Grant is not currently available for Windows

curl -sSfL <a href="https://get.anchore.io/grant">https://get.anchore.io/grant</a> | sudo sh -s &ndash; -b /usr/local/bin

brew install grant

Scan a container for all the licenses used

grant alpine:latest

Grant will produce a list of licenses.

* alpine:latest
  * license matches for rule: default-deny-all; matched with pattern *
    * Apache-2.0
    * BSD-2-Clause
    * GPL-2.0-only
    * GPL-2.0-or-later
    * MIT
    * MPL-2.0
    * Zlib

Scan a container for OSI compliant licenses

Now we scan a different container, that contains some software that is distributed under non-OSI-compliant licenses.

Note

The image used here is quite large (over 3GB) so may take a while to download and analyze

grant check pytorch/pytorch:latest --osi-approved

Read more in our License Auditing User Guide.

Next steps

Try running Syft against other containers, or an application directory on your workstation.
Find out more about Supported Sources and Output Formats.
Learn about Vulnerability Scanning and License Scanning your SBOMs.