GitHub Adds License Compliance Checks Before Merge
GitHub has put open source license compliance into public preview, giving Enterprise Cloud teams ruleset-based checks that can block pull requests with noncompliant dependencies.
GitHub has launched open source license compliance in public preview. Confidence level: confirmed. The feature lets eligible Enterprise Cloud organizations define license policy and enforce it through branch rulesets before dependency changes merge.
Caption: GitHub Changelog image for the license compliance public preview. Source: GitHub.
What changed
GitHub Enterprise Cloud customers with GitHub Advanced Security Code Security licenses can now test open source license compliance. The preview adds an enterprise-wide license policy, repository targeting through rulesets, pull request annotations, and merge blocking when a dependency violates policy.
The feature extends dependency review. When a pull request changes package manifests, GitHub compares dependency changes, checks detected licenses against policy, and surfaces violations. Teams can resolve issues by replacing the dependency, amending the policy, or creating package exceptions.
Key takeaways
- License compliance is now a public preview for eligible GitHub Enterprise Cloud organizations.
- Enforcement runs through branch rulesets, including an active merge-blocking mode.
- GitHub evaluates direct and transitive dependency data from the dependency graph.
- A new enterprise role, Enterprise Open Source License Policy Manager, handles policy and exception work.
- The preview is useful for platform, legal, and security teams that want licensing checks inside pull requests.
| Workflow | What GitHub adds | Who should care | Caveat |
|---|---|---|---|
| Dependency review | License policy checks for changed dependencies | AppSec and platform teams | Requires eligible GitHub licensing |
| Branch rulesets | Merge blocking for noncompliant licenses | Engineering managers | Preview behavior can change |
| Exception review | Policy manager role and closure workflow | Legal and open source program offices | Needs a real approval process |
Availability and access
GitHub says the preview is available now for all GitHub Enterprise Cloud customers with GitHub Advanced Security Code Security licenses. The docs describe the feature as public preview and subject to change.
Teams need dependency data, rulesets, and a license policy before this becomes useful. Evaluate mode can annotate pull requests without blocking merges, while active mode can block pull requests until violations are resolved.
Practical LinkLoot angle
This is a governance feature with direct developer-workflow impact. Instead of reviewing open source licenses after a release audit, teams can move the first check into the pull request where dependency changes happen.
The practical setup path is simple: start in evaluate mode on a representative set of repositories, review false positives and exception volume, then switch high-risk production repos to active blocking. If your team also uses AI coding tools, pair this with a dependency-review checklist from LinkLoot's agent tools hub: /guides/ai-agent-tools.
What to verify before you act
- Confirm your organization has GitHub Enterprise Cloud and GitHub Advanced Security Code Security.
- Check whether dependency graph data covers the ecosystems you rely on.
- Decide who owns the Enterprise Open Source License Policy Manager role.
- Start with evaluate mode before blocking merges in critical repositories.
- Review exception policy with legal or open source program owners before rollout.
Source check
Confirmed by: GitHub's June 30 changelog announces the public preview, ruleset enforcement, policy manager role, and eligibility. GitHub Docs corroborate the workflow, scope, pull request behavior, and preview status.
Early signal / context: No community-only signal was needed for this post. The claim is based on GitHub-owned changelog and documentation.
It is a public preview feature that checks dependency licenses against an enterprise policy.