Skip to main content

Set library policy


License policy is available to Contrast SCA customers only. Contact your Organization Administrator to enable SCA.

Contrast can flag libraries that don't meet your organization's criteria to ensure your applications are secure.

If a library is restricted or used in an application that's below a specific version, it's marked as a policy violation by Contrast. You can also tell Contrast to automatically grade any library that violates the policy with the letter "F" to flag it in the Contrast interface. (Administrators are notified of violations in both the product and by email.)


Library versions include any major, minor, and patch versions.

To set a library policy:

  1. In the user menu, select Policy Management > Library Policy.

  2. Check the box to Restrict libraries and choose which libraries you want to exclude from your portfolio. You can select multiple.

  3. Check the box to Enable version requirements and choose one or multiple libraries that must be within your given number of versions.

  4. Click the Add another requirement link to create version requirements for additional library groupings.

  5. Check the Restrict licenses box to set a policy on open-source licenses that you want to restrict. If an open-source license is restricted, then any libraries that use the restricted license will be marked as a policy violation.

    The license policy lists open-source licenses in SPDX format, listed by short identifier and followed by the full name. Any license type that you want to restrict must be selected. Contrast includes any ‘or later’ licenses it identifies in your portfolio. For example, if you restrict by GPL-3.0-only, any licenses that are GPL-3.0-or-later will be included in that restriction.

  6. Check the box next to Fail libraries in violation of policy, to automatically assign a failing score to any library that violates a set policy.

    If a library fails to comply with a set policy, the name, a warning icon and the library score are highlighted in red in the Libraries page. Hover over the icon or go to the library's Overview page for more information about the violation.

    If you choose to automatically fail libraries, Organization Administrators will be notified when adjusting score settings.