How to Use

Scanning a Project

Open Source Projects

The easiest way to start scanning an open source project is to use our "one click" scan from the homepage. Simply enter the URL of the project on Github and the scan will start immediately.

Docs oneclick 405c70a8f724a6ea1f159cc6695528a41a8fc544f0bbefb111205667c37e7484

If the project has not been scanned in five days, re-scanning will automatically commence. If the project is your own and you would like to scan it on every new commit, you can also login and configure Github integrations (see "Continuous Scans and Alerts", below).

Private Projects

To scan a private repository, please sign-in using your Github account from the to navigation bar.

You will be presented with a list of all the projects connected to your Github account from which you can start a scan.

Continuous Scans and Alerts / Github Integration

When you enable Github Pull Request integration, will scan all your pull requests (as well as your default branch) whenever a developer commits new code.

Docs pullrequests c4bed74d7dc757e179290b0291d37cd6f7dd000c4c0037b700abddcddd3a9daf flags an error on your pull request if there are new libraries which are outside of your licensing policy and which have not been manually approved.

Feature github fdf7166bd3b764f65984beb02524ee8267b947861eafa4045b71b84bbae1fb3e

These scans are quick and do not take a long as your initial full scan, as only scans the changed code and libraries.

License Badges

In your Project Settings, you can find the markup for a badge that you can include in your readme file to indicate both the license of your project and the status of your default branch.

Docs statusbadge 14de83164f265e0942d57cbaac6296e87f079cfdf699164282af1e878db12635

Supported Platforms currently supports scanning libraries for Ruby/Bundler, Node/NPM, Bower and standalone Javascript source files. We're working on support for additional languages and platforms, so check-in with us if you're using a different stack!


Automated approvals

From your Project Policy, you can configure to automatically approve libraries that fall under different categories of licenses: permissive (eg. MIT/Apache), weak copyleft (eg. LGPL, MPL), and/or strong copyleft (GPL). If you're unsure which of these you should allow in your project, please contact us to help you work it out.

Docs automatedapprovals 9a2b48e7ecb2138f6c56f4c4e19cfc85b959b67a45a7deafcebdc713d8302f82

In addition, when manually approving a license, you can choose to approve that license for all libraries (see below). Then, new libraries under the approved license will be automatically approved in the future.

Manual approvals

When encounters a license that does not meet your automatic-approval settings or which is unrecognized, you have the option to either approve that individual library or to approve the license for all libraries (and new libraries introduced in the future).

Docs manualapprovals 5f401a3e288077f687e562db5eb10dc154813466581c26d8b64bb00c96212315

Until any unapproved libraries are addressed, pull requests in Github will show up as failing (if you are using our Github Pull Request Integration). A failing Pull Request will succeed and turn green as soon as you approve the applicable libraries or licenses, or, if the license in not permissible in your project, when the developer removes the library from the code.