Skip to content
/ grant Public
forked from anchore/grant

Search an SBOM for licenses and the packages they belong to

License

Apache-2.0 license
0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kzantow-anchore/grant

BranchesTags
 
 

Repository files navigation

Grant

View licenses for container images, SBOM documents, filesystems, and apply rules that help you build a license compliance report.

demo

Supply an image

$ grant check redis:latest

Supply an SBOM document

$ grant check alpine.spdx.json

Supply multiple sources including stdin and a mix of image and sbom

$ syft -o spdx-json alpine:latest | grant check node:latest

Installation

curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b /usr/local/bin

... or, you can specify a release version and destination directory for the installation:

curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>

Usage

Grant can be used with any container image, sbom document, or directory to scan for licenses and check those classifierResults against a set of rules provided by the user.

Rules take the form of a pattern to match the license against, a name to identify the rule, a mode to either allow, deny, or ignore the license, a reason for the rule, and a list of packages that are exclusions to the rule.

pattern: "*gpl*"
name: "deny-gpl"
mode: "deny"
reason: "GPL licenses are not allowed"
exclusions:
  - "alpine-base-layout" # We don't link against this package so we don't care about its license

Matching Rules:

  • Denying licenses take precedence over allowing licenses
  • License patterns are matched on a case-insensitive basis.
  • If a license is has rules for both modes it is denied

Supplied patterns follow a standard globbing syntax:

pattern:
{ term }

term:
`*`         matches any sequence of non-separator characters
`**`        matches any sequence of characters
`?`         matches any single non-separator character
`[` [ `!` ] { character-range } `]`
character class (must be non-empty)
`{` pattern-list `}`
pattern alternatives
c           matches character c (c != `*`, `**`, `?`, `\`, `[`, `{`, `}`)
`\` c       matches character c

character-range:
c           matches character c (c != `\\`, `-`, `]`)
`\` c       matches character c
lo `-` hi   matches character c for lo <= c <= hi

pattern-list:
pattern { `,` pattern }
comma-separated (without spaces) patterns

By default grant is configured to deny all licenses out of the box.

Grant can be used to deny specific licenses while allowing all others.

It can also be used to allow specific licenses, denying all others.

Output

Table

table-output

JSON: TODO

json-output

Configuration

#.grant.yaml
config: ".grant.yaml"
format: table # table, json
show-packages: false # show the packages which contain the licenses --show-packages
non-spdx: false # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: false # highlight licenses that are not OSI approved --osi-approved
rules: 
    - pattern: "*gpl*"
      name: "deny-gpl"
      mode: "deny"
      reason: "GPL licenses are not allowed per xxx-xx company policy"
      exclusions:
        - "alpine-base-layout" # We don't link against this package so we don't care about its license

About

Search an SBOM for licenses and the packages they belong to

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 80.6%
  • Shell 17.1%
  • Makefile 1.9%
  • Java 0.4%