Every dependency. Direct, transitive, with complex SPDX expressions. Categorised Permissive / Weak Copyleft / Strong Copyleft / Unknown. Override the rules to match your legal posture, ignore internal packages, ship without surprises.
Automatic SPDX extraction, expression-aware risk evaluation, organisation overrides, manual assignment for unknowns, per-package ignore and ecosystem filters. Everything legal needs, sitting next to the SCA findings.
Licenses are pulled from package metadata at scan time. No extra job to schedule, no separate tool to install. Direct dependencies, transitive dependencies and dev dependencies all carry their detected SPDX identifier into the dashboard.
Permissive (MIT, Apache-2.0, BSD-2-Clause, ISC), Weak Copyleft (LGPL-2.1, MPL-2.0, EPL-2.0), Strong Copyleft (GPL-3.0, AGPL-3.0, SSPL-1.0), or Unknown when the manifest is silent. Built-in defaults that legal teams already recognise.
MIT OR GPL-3.0-only resolves to the least restrictive option (Permissive). MIT AND GPL-3.0-only resolves to the most restrictive (High). GPL-2.0-only WITH Classpath-exception-2.0 evaluates the base with the exception applied.
If your legal team treats LGPL-2.1 as Permissive, override it once at the organisation level and every project inherits the new classification immediately. Reset to defaults whenever the policy changes.
When the manifest doesn't declare a license, the package lands in the Unknown bucket. Pick the correct SPDX identifier from the dropdown and the package re-categorises automatically.
Toggle the ignore flag on any package. Internal monorepo modules, test fixtures, dev-only tooling. And they vanish from the license summary while staying visible in the detail view.
Three reasons engineering, security and legal end up on the same dashboard instead of three different spreadsheets.
Every SPDX identifier maps to a category your team owns. Override defaults, add custom proprietary licenses, reset whenever policy changes. Without leaving the platform.
License extraction shares the manifest parse step that the SCA scan already performs. Same trigger, same scan window, no second pipeline to maintain.
Engineering filters by branch and ecosystem to focus on what they own. Legal filters by risk to review GPL or AGPL exposure. Both work from the same source of truth.
License extraction runs on every SCA scan across npm / Yarn / pnpm / Bun / Deno, pip / Poetry / Pipenv, Maven / Gradle, Go modules, NuGet, Composer, Cargo, CocoaPods / Swift PM, Pub, Hex, RubyGems, Conan, Clojars and GitHub Actions.
Browse all integrationsEvery SPDX identifier maps to one of four categories. Permissive, Weak Copyleft, Strong Copyleft or Unknown. Based on a built-in classification covering 100+ licenses. Organisations can override any classification to match their legal policy; overrides apply immediately to every project in the org.
The package lands in the Unknown bucket. From the license summary you can open the package and assign the correct SPDX identifier manually; the package then re-categorises and feeds the right counters in the summary. Unknown licenses are surfaced first in the dashboard so they don't quietly accumulate.
No. License extraction reuses the manifest parse step the SCA scan already performs. There's no separate job, no second pipeline, no incremental scan window. License data appears in the same dashboard alongside vulnerability findings.
Yes. The organisation-level configuration accepts custom entries with a chosen classification (Permissive, Weak Copyleft, Strong Copyleft or Unknown). Useful for in-house licenses or vendor agreements that aren't part of SPDX but still need to be tracked alongside open-source licenses.
OR picks the least restrictive option (`MIT OR GPL-3.0-only` → effective risk None). AND picks the most restrictive option (`MIT AND GPL-3.0-only` → effective risk High). WITH evaluates the base license with the exception applied (`GPL-2.0-only WITH Classpath-exception-2.0` → GPL-2.0 with Classpath exception). The dashboard shows both the raw expression and the resolved category.
No credit card. No setup call. Pick your agent, paste the command, and Cybe enforces your rules from the very next prompt.
claude mcp add cybedefend --transport http https://mcp-eu.cybedefend.com/mcpHosted MCP, no install. Just register the URL with your agent.