> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# License Compliance

> Per-package license visibility — SPDX licenses grouped by obligation for compliance review

For every package in your inventory, ZeroPath normalizes the manifest-declared
license terms, supplements them with external license metadata, and records a
normalized SPDX license string. When a package declares more than one license,
they are combined into a single string. The result is one consistent license
dataset shared by the scanners, the UI, and your [SBOM exports](/sca/sbom-exports),
so a compliance review starts from the same data the analysis saw.

## How licenses are classified

Each license is sorted into an obligation-based category by keyword matching on the
recorded license name:

| Category             | What it means                                                                                            |
| -------------------- | -------------------------------------------------------------------------------------------------------- |
| **Permissive**       | MIT/BSD/Apache-style — attribution/notice retention; minimal obligations.                                |
| **Weak copyleft**    | LGPL/MPL-style — file- or library-level reciprocity.                                                     |
| **Strong copyleft**  | GPL-style — source-disclosure obligations on derived works.                                              |
| **Network copyleft** | AGPL/Affero-style — obligations triggered by network use.                                                |
| **Unknown**          | License couldn't be determined, didn't match a known pattern, or enrichment was temporarily unavailable. |

Those categories roll up into a **risk** signal you can filter by:

* **Low** — permissive licenses; typically just attribution.
* **Review** — weak-copyleft obligations (LGPL/MPL-style) to review before
  release.
* **Restrictive** — the strongest obligations: strong and network copyleft
  (GPL/AGPL-style).
* **Unverified** — license is unknown and should be clarified.

<Info>
  This classification is **informational**, not legal advice. It is derived from the
  license name to help you find and review obligations, so compound or non-standard
  strings may classify imprecisely; confirm those against the package's actual
  terms. ZeroPath does not block a build or fail a scan on license grounds.
</Info>

## Working with licenses

On the Supply Chain page, the licenses view summarizes your exposure by category,
with at-a-glance tiles for permissive packages, copyleft packages to review, and
unverified packages to confirm. It lists each license with the packages and
repositories it appears in.

* **Filter by risk** to focus on the obligations that matter to your policy.
* **Search any license identifier**, for example `GPL-3.0-only` or `SSPL`, to
  highlight the affected packages and the applications that use them.
* **Scope by repository**, and optionally include or exclude ephemeral CLI scans.

<Tip>
  License data is captured per package in the inventory, so it also flows into
  [SBOM exports](/sca/sbom-exports): SPDX documents carry per-package license
  declarations, and CycloneDX components include license information for downstream
  legal tooling.
</Tip>