License Compliance Scan
license_compliance_scanEvaluate package licenses against an SPDX compliance policy. Classifies each license as allowed, warn, or blocked to enforce license compliance on dependencies.
Instructions
Evaluate package licenses against an SPDX compliance policy.
Takes packages (either a prior ``scan`` result JSON or an explicit array
of ``{name, version, ecosystem, license}`` objects) and classifies each
license as allowed, warn, or blocked. Normalizes 2,500+ SPDX IDs
(including deprecated identifiers) and flags network-copyleft licenses
(AGPL/SSPL/BUSL and similar).
Args:
scan_json: JSON of a previous scan result, or a JSON array of
package objects with license metadata.
policy_json: Optional JSON policy with ``license_block`` /
``license_warn`` glob lists. Falls back to the built-in policy
(block strong/network copyleft, warn weak copyleft) when empty.
Returns:
JSON with per-package license verdicts, the matched policy rule,
and counts of blocked / warned / allowed packages.
Call this in release or procurement gates to enforce license policy on
an agent's dependency set without running a full scan.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| scan_json | Yes | JSON string of a previous scan result (from the 'scan' tool) containing agents with packages. Or a JSON array of {"name": "pkg", "version": "1.0", "ecosystem": "npm", "license": "MIT"} objects. | |
| policy_json | No | Optional JSON policy: {"license_block": ["GPL-*"], "license_warn": ["LGPL-*"]}. Uses default policy (block GPL/AGPL/SSPL/BUSL/EUPL/OSL, warn LGPL/MPL/EPL/CDDL) if empty. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |