snyk_license_check
Check license compliance for project dependencies using Snyk to assess risks and ensure adherence to selected policies.
Instructions
Check license compliance for project dependencies using Snyk.
Args:
project_path: Path to the project directory
policy: License policy to apply ("permissive", "copyleft-limited", "strict")
Returns:
License compliance report with risk assessment
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| project_path | No | . | |
| policy | No | permissive |
Implementation Reference
- Main handler function decorated with @mcp.tool() that implements the snyk_license_check tool. It scans project dependencies, uses Snyk integration for license compliance checking, applies customizable policies, and generates a risk assessment report.async def snyk_license_check(project_path: str = ".", policy: str = "permissive"): """ Check license compliance for project dependencies using Snyk. Args: project_path: Path to the project directory policy: License policy to apply ("permissive", "copyleft-limited", "strict") Returns: License compliance report with risk assessment """ from .snyk_integration import snyk_integration from .project_scanner import find_and_parse_dependencies try: # Find project dependencies dep_result = find_and_parse_dependencies(project_path) if not dep_result: return {"error": "No supported dependency files found"} filename, ecosystem, dependencies = dep_result # Convert dependencies to list of tuples packages = [(name, version) for name, version in dependencies.items()] # Get license compliance report compliance_report = await snyk_integration.get_license_compliance( packages, ecosystem ) # Apply policy-specific analysis policy_rules = { "permissive": { "allowed": {"MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"}, "restricted": { "GPL-2.0", "GPL-3.0", "LGPL-2.1", "LGPL-3.0", "AGPL-3.0", }, "name": "Permissive Policy", }, "copyleft-limited": { "allowed": { "MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "LGPL-2.1", "LGPL-3.0", }, "restricted": {"GPL-2.0", "GPL-3.0", "AGPL-3.0"}, "name": "Limited Copyleft Policy", }, "strict": { "allowed": {"MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause"}, "restricted": { "GPL-2.0", "GPL-3.0", "LGPL-2.1", "LGPL-3.0", "AGPL-3.0", }, "name": "Strict Policy", }, } selected_policy = policy_rules.get(policy, policy_rules["permissive"]) # Risk assessment risk_assessment = { "policy_applied": selected_policy["name"], "overall_compliance": ( "compliant" if compliance_report["non_compliant_packages"] == 0 else "non-compliant" ), "risk_level": ( "low" if compliance_report["non_compliant_packages"] == 0 else ( "high" if compliance_report["non_compliant_packages"] > 5 else "medium" ) ), "action_required": compliance_report["non_compliant_packages"] > 0, } return { "project_path": project_path, "policy": selected_policy["name"], "scan_timestamp": datetime.now().isoformat(), "compliance_summary": compliance_report, "risk_assessment": risk_assessment, "recommendations": [ "π Review all non-compliant packages", "π Find alternative packages with compatible licenses", "βοΈ Consult legal team for high-risk licenses", "π Document license decisions for audit trail", ], } except Exception as e: return { "error": f"License check failed: {str(e)}", "project_path": project_path, }
- Core helper function in SnykIntegration class that scans multiple packages for licenses using Snyk API, categorizes them as compliant/non-compliant based on predefined allowed/restricted lists, and generates compliance statistics.self, packages: List[Tuple[str, str]], ecosystem: str = "pypi" ) -> Dict[str, Any]: """Check license compliance for multiple packages""" compliance_results = { "total_packages": len(packages), "compliant_packages": 0, "non_compliant_packages": 0, "unknown_licenses": 0, "license_summary": {}, "compliance_details": [], } # Define license policies (configurable) allowed_licenses = { "MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unlicense", "WTFPL", } restricted_licenses = { "GPL-2.0", "GPL-3.0", "LGPL-2.1", "LGPL-3.0", "AGPL-3.0", "SSPL-1.0", } for package_name, version in packages: try: package_info = await self.scan_package(package_name, version, ecosystem) package_compliance = { "package": package_name, "version": version, "licenses": [license.name for license in package_info.licenses], "compliance_status": "unknown", "risk_level": "unknown", } if package_info.licenses: license_names = {license.name for license in package_info.licenses} if license_names.intersection(restricted_licenses): package_compliance["compliance_status"] = "non-compliant" package_compliance["risk_level"] = "high" compliance_results["non_compliant_packages"] += 1 elif license_names.intersection(allowed_licenses): package_compliance["compliance_status"] = "compliant" package_compliance["risk_level"] = "low" compliance_results["compliant_packages"] += 1 else: package_compliance["compliance_status"] = "review_required" package_compliance["risk_level"] = "medium" compliance_results["unknown_licenses"] += 1 else: compliance_results["unknown_licenses"] += 1 compliance_results["compliance_details"].append(package_compliance) # Update license summary for license in package_info.licenses: if license.name not in compliance_results["license_summary"]: compliance_results["license_summary"][license.name] = 0 compliance_results["license_summary"][license.name] += 1 except Exception as e: print(f"License check error for {package_name}: {e}", file=sys.stderr) return compliance_results
- Dataclass defining the structure for Snyk license information, used in license compliance checking.class SnykLicense: """License information from Snyk""" id: str name: str spdx_id: Optional[str] type: str # "copyleft", "permissive", "proprietary", etc. url: Optional[str] is_deprecated: bool instructions: str
- src/documentation_search_enhanced/main.py:1998-2009 (registration)Import statement registering the global snyk_integration instance used by the tool.async def snyk_license_check(project_path: str = ".", policy: str = "permissive"): """ Check license compliance for project dependencies using Snyk. Args: project_path: Path to the project directory policy: License policy to apply ("permissive", "copyleft-limited", "strict") Returns: License compliance report with risk assessment """ from .snyk_integration import snyk_integration