A data science team is creating a container image for a predictive-analytics service that will be offered under a proprietary license. Corporate policy forbids distribution of any image that contains a direct or transitive dependency released under the GNU GPL or other strong-copyleft licenses. The team wants to block non-compliant images automatically before they are pushed to the internal registry, while adding as little manual work as possible to the continuous-integration (CI) pipeline.
Which approach best meets these dependency-licensing requirements?
Run pip freeze after the image is built, store the output as a build artifact, and ask the compliance team to review the file once a quarter.
Generate an SBOM during each build with Syft or Trivy and have an Open Policy Agent rule fail the pipeline whenever a prohibited license is detected.
Pin every third-party package version in a requirements.txt file and commit it to version control to keep a reproducible inventory of licenses.
Replace any GPL-licensed dependencies with internal forks released under a permissive license and document the change in the project's README.
The most effective way to enforce license policy with minimal manual effort is to automate it in the CI pipeline. Generating a Software Bill of Materials (SBOM) with a tool such as Syft or Trivy and evaluating that SBOM with policy-as-code (for example, an Open Policy Agent rule) allows the build to fail immediately whenever a prohibited GPL or similar license appears-regardless of whether the package is a direct or transitive dependency.
Simply pinning versions in a requirements.txt file helps with reproducibility but does not check license metadata. Keeping a frozen list for quarterly manual review still allows non-compliant code to ship between reviews. Forking and relicensing troublesome packages requires ongoing manual maintenance and does not provide an automated gate for future dependencies. Therefore, integrating SBOM generation and automated license scanning in the CI pipeline is the only option that continuously enforces the organization's licensing policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an SBOM and why is it important in enforcing licensing policies?
Open an interactive chat with Bash
What is Open Policy Agent (OPA) and how does it work in a CI pipeline?
Open an interactive chat with Bash
Why is using tools like Syft or Trivy better than manual dependency management?