View licenses for container images, SBOM documents, filesystems, and apply rules that help you build a license compliance report.
$ grant check redis:latest$ grant check alpine.spdx.json$ syft -o spdx-json alpine:latest | grant check node:latestcurl -sSfL https://get.anchore.io/grant | sudo sh -s -- -b /usr/local/bin... or, you can specify a release version and destination directory for the installation:
curl -sSfL https://get.anchore.io/grant | sudo sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
Grant can be used with any container image, sbom document, or directory to scan for licenses and check those classifierResults against a set of rules provided by the user.
Rules take the form of a pattern to match the license against, a name to identify the rule, a mode to either allow, deny, or ignore the license, a reason for the rule, and a list of packages that are exceptions to the rule.
pattern: "*gpl*"
name: "deny-gpl"
mode: "deny"
reason: "GPL licenses are not allowed"
exceptions:
- "alpine-base-layout" # We don't link against this package so we don't care about its license
Matching Rules:
- Denying licenses take precedence over allowing licenses
- License patterns are matched on a case-insensitive basis.
- If a license is has rules for both modes it is denied
Supplied patterns follow a standard globbing syntax:
pattern:
{ term }
term:
`*` matches any sequence of non-separator characters
`**` matches any sequence of characters
`?` matches any single non-separator character
`[` [ `!` ] { character-range } `]`
character class (must be non-empty)
`{` pattern-list `}`
pattern alternatives
c matches character c (c != `*`, `**`, `?`, `\`, `[`, `{`, `}`)
`\` c matches character c
character-range:
c matches character c (c != `\\`, `-`, `]`)
`\` c matches character c
lo `-` hi matches character c for lo <= c <= hi
pattern-list:
pattern { `,` pattern }
comma-separated (without spaces) patterns
By default grant is configured to deny all licenses out of the box.
Grant can be used to deny specific licenses while allowing all others.
It can also be used to allow specific licenses, denying all others.
#.grant.yaml
config: ".grant.yaml"
format: table # table, json
show-packages: false # show the packages which contain the licenses --show-packages
non-spdx: false # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: false # highlight licenses that are not OSI approved --osi-approved
disable-file-search: false # skip grant's license file search (e.g., LICENSE, COPYING files not associated with packages) --disable-file-search
rules:
- pattern: "*gpl*"
name: "deny-gpl"
mode: "deny"
reason: "GPL licenses are not allowed per xxx-xx company policy"
exceptions:
- "alpine-base-layout" # We don't link against this package so we don't care about its licenseIn this example, all licenses are denied except BSD and MIT:
#.grant.yaml
rules:
- pattern: "BSD-*"
name: "bsd-allow"
mode: "allow"
reason: "BSD is compatible with our project"
exceptions:
# Packages to disallow even if they are licensed under BSD.
- my-package
- pattern: "MIT"
name: "mit-allow"
mode: "allow"
reason: "MIT is compatible with our project"
# Reject the rest.
- pattern: "*"
name: "default-deny-all"
mode: "deny"
reason: "All licenses need to be explicitly allowed"By default, Grant performs two types of license detection:
- SBOM-based detection: Analyzes package manifests and metadata to identify licenses associated with specific packages
- File-based detection: Searches the filesystem for standalone license files (LICENSE, COPYING, etc.) that may not be associated with any specific package
The --disable-file-search option allows you to skip the second type of detection while still performing SBOM generation and package-based license detection. This can be useful when:
- You only want licenses that are directly associated with packages
- You need faster scanning by avoiding filesystem traversal for license files
Note: SBOM generation includes its own file analysis process which will still run regardless of the --disable-file-search setting.