License Scanning with Trivy
Kreate's license scanning integration allows you to automatically verify the licenses of your project's dependencies against a list of forbidden or restricted licenses. This is critical in commercial environments to ensure legal compliance (e.g., avoiding "copyleft" licenses like GPL in proprietary software).
How it Works
The license { } block defines how Trivy analyzes your project for license compliance. Trivy specifically analyzes the .lockfile files generated by Gradle.
Configuration Example
License Evaluation Details
Trivy categorizes licenses based on its internal rules into several severity levels.
Severity | Meaning |
|---|---|
| Highly restrictive licenses (e.g., AGPL) that often pose a high risk. |
| Restrictive licenses (e.g., GPL, LGPL). |
| Licenses with certain conditions (e.g., MPL). |
| Permissive licenses (e.g., BSD). |
| Licenses that Trivy cannot uniquely identify or categorize. |
Tips & Best Practices
Lockfile Management: Kreate relies on Gradle lockfiles for license scanning. You must manually enable dependency locking and generate lockfiles using
./gradlew dependencies --write-locks.Handling "Unknown": Licenses are often marked as
UNKNOWNif metadata in Maven Central is incomplete. Verify these manually and add them toignoredLicensesif they are acceptable.Gradual Adoption: For existing projects, start with
failOnForbidden.set(false)to identify issues without breaking the build, then fix or ignore them before enforcing compliance.
How to Run
To execute the license scan individually, use the following Gradle command:
Alternatively, the scan is automatically included when running the lifecycle task: