View licenses for container images, SBOM documents, filesystems, and apply rules that help you build a license compliance report.
$ grant check redis:latest
$ grant check alpine.spdx.json
$ syft -o spdx-json alpine:latest | grant check node:latest
curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b /usr/local/bin
... or, you can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
Grant can be used with any container image, sbom document, or directory to scan for licenses and check those classifierResults against a set of rules provided by the user.
Rules take the form of a pattern to match the license against, a name to identify the rule, a mode to either allow, deny, or ignore the license, a reason for the rule, and a list of packages that are exceptions to the rule.
pattern: "*gpl*"
name: "deny-gpl"
mode: "deny"
reason: "GPL licenses are not allowed"
exceptions:
- "alpine-base-layout" # We don't link against this package so we don't care about its license
Matching Rules:
- Denying licenses take precedence over allowing licenses
- License patterns are matched on a case-insensitive basis.
- If a license is has rules for both modes it is denied
Supplied patterns follow a standard globbing syntax:
pattern:
{ term }
term:
`*` matches any sequence of non-separator characters
`**` matches any sequence of characters
`?` matches any single non-separator character
`[` [ `!` ] { character-range } `]`
character class (must be non-empty)
`{` pattern-list `}`
pattern alternatives
c matches character c (c != `*`, `**`, `?`, `\`, `[`, `{`, `}`)
`\` c matches character c
character-range:
c matches character c (c != `\\`, `-`, `]`)
`\` c matches character c
lo `-` hi matches character c for lo <= c <= hi
pattern-list:
pattern { `,` pattern }
comma-separated (without spaces) patterns
By default grant is configured to deny all licenses out of the box.
Grant can be used to deny specific licenses while allowing all others.
It can also be used to allow specific licenses, denying all others.
#.grant.yaml
config: ".grant.yaml"
format: table # table, json
show-packages: false # show the packages which contain the licenses --show-packages
non-spdx: false # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: false # highlight licenses that are not OSI approved --osi-approved
rules:
- pattern: "*gpl*"
name: "deny-gpl"
mode: "deny"
reason: "GPL licenses are not allowed per xxx-xx company policy"
exceptions:
- "alpine-base-layout" # We don't link against this package so we don't care about its license
In this example, all licenses are denied except BSD and MIT:
#.grant.yaml
rules:
- pattern: "BSD-*"
name: "bsd-allow"
mode: "allow"
reason: "BSD is compatible with our project"
exceptions:
# Packages to disallow even if they are licensed under BSD.
- my-package
- pattern: "MIT"
name: "mit-allow"
mode: "allow"
reason: "MIT is compatible with our project"
# Reject the rest.
- pattern: "*"
name: "default-deny-all"
mode: "deny"
reason: "All licenses need to be explicitly allowed"