License Management

Introduced in GitLab Ultimate 11.0.

Overview

If you are using GitLab CI/CD, you can search your project dependencies for their licenses using License Management.

You can take advantage of License Management by either including the CI job in your existing .gitlab-ci.yml file or by implicitly using Auto License Management that is provided by Auto DevOps.

In addition, you can manually approve or blacklist licenses in the project’s settings.

Going a step further, GitLab can show the licenses list right in the merge request widget area, highlighting the presence of licenses you don’t want to use, or new ones that need a decision.

Use cases

It helps you find what licenses your project uses in its dependencies, and decide for each of then whether to allow it or forbid it. For example, your application is using an external (open source) library whose license is incompatible with yours.

Supported languages and package managers

The following languages and package managers are supported.

Language Package managers
JavaScript Bower, npm
Go Godep, go get
Java Gradle, Maven
.NET Nuget
Python pip
Ruby gem

How it works

First of all, you need to define a job in your .gitlab-ci.yml file that generates the License Management report artifact. For more information on how the License Management job should look like, check the example on Dependencies license management with GitLab CI/CD.

GitLab then checks this report, compares the licenses between the source and target branches, and shows the information right on the merge request. Blacklisted licenses will be clearly visible, as well as new licenses which need a decision from you.

Note: If the license management report doesn’t have anything to compare to, no information will be displayed in the merge request area. That is the case when you add the license_management job in your .gitlab-ci.yml for the first time. Consecutive merge requests will have something to compare to and the license management report will be shown properly.

License Management Widget

If you are a project or group Maintainer, you can click on a license to be given the choice to approve it or blacklist it.

License approval decision

From the project’s settings:

License Management Settings

Manual license management

Introduced in GitLab Ultimate 11.4.

Licenses can be manually approved or blacklisted in a project’s settings.

To approve or blacklist a license:

  1. Navigate to the project’s Settings > CI/CD.
  2. Expand the License Management section and click the Add a license button.
  3. In the License name dropdown, either:
    • Select one of the available licenses. You can search for licenses in the field at the top of the list.
    • Enter arbitrary text in the field at the top of the list. This will cause the text to be added as a license name to the list.
  4. Select the Approve or Blacklist radio button to approve or blacklist respectively the selected license.

License Management report under pipelines

Introduced in GitLab Ultimate 11.2.

From your project’s left sidebar, navigate to CI/CD > Pipelines and click on the pipeline ID that has a license_management job to see the Licenses tab with the listed licenses (if any).

License Management Pipeline Tab