GitHub’s new License Compliance feature automatically scans direct and nested dependencies to stop costly open-source legal violations before software hits production.
GitHub has officially launched its new GitHub License Compliance feature, which is currently in public preview. The feature is available to GitHub Advanced Security (GHAS) customers and can be used by GitHub Enterprise Cloud organisations across repositories that maintain an active GHAS Code Security licence.
It acts as an automated checklist for software supply chains, allowing enterprise teams to automatically manage open-source dependencies at scale, identify licensing risks, and prevent costly compliance or legal violations before bad code is merged into production. When a developer opens or alters a pull request that adds or updates dependencies, the tool automatically evaluates the licences of both direct and indirect (transitive) dependencies against the company’s internal compliance policy. If a package containing an unusual, missing, or explicitly forbidden licence is found, the system flags the issue by placing a dedicated alert annotation directly onto the pull request line item, mapping out the exact path through the dependency tree.
The tool allows companies to roll out enforcement using organization-wide rulesets that generate pull request annotations for awareness in “Evaluate” mode without blocking merges. This is used to familiarise developer workflows with compliance rules. When “Active” mode enforcement is switched on, it prevents code from being merged until the dependency is removed, replaced, or granted an official policy bypass. Repository administrators can seamlessly toggle between Active and Evaluate states via specific repository properties, allowing teams to temporarily lower enforcement rules to let a critical security patch or emergency hotfix pass through while the licence issue is reviewed.
GitHub’s internal Open Source Program Office (OSPO) served as the primary early adopter, testing the tool internally for two months prior to public preview to manage its own complex multi-dependency compliance network. The initial guardrails were built on a predefined allowlist of standard, highly permissive licences with low compliance risk, such as MIT, Apache 2.0, and BSD-3-Clause.
If a developer believes a flagged dependency is necessary, they can submit an official exception request. These requests route directly to individuals assigned to the newly introduced Enterprise Open Source License Policy Manager role. When granting exemptions, these managers can apply them using organization-wide rules, repository-specific rules, or wildcard rules to handle related internal or vendor packages simultaneously.













































































