miwordpress.

Run WordPress faster, safer, and smarter.

News

GitHub Launches License Compliance Tool to Block Non-Compliant Code

If your agency ships custom WordPress builds with a handful of paid plugins plus a few Composer dependencies tucked into mu-plugins, this GitHub change is going to land in your pull requests sooner than you think.

GitHub Launches License Compliance Tool to Block Non-Compliant Code

How the scanning actually behaves

When a developer opens or updates a pull request that adds or changes dependencies, the tool evaluates both direct packages and their indirect (transitive) dependencies against your organization's compliance policy. If it finds an unusual, missing, or explicitly disallowed licence, it places an alert annotation directly on the pull request item, mapping the exact path through the dependency tree so the reviewer can see where the risk originates.

Administrators can flip between two enforcement modes through specific repository properties. In Evaluate mode, the tool generates annotations for awareness without blocking merges, which lets your team grow comfortable with the new ruleset first. Switch to Active mode and merges will not proceed until the flagged dependency is removed, replaced, or formally exempted. This is the toggle you want to coordinate carefully, particularly during release windows.

A new role, the Enterprise Open Source License Policy Manager, owns the exception workflow. When a developer believes a flagged package is genuinely needed, they submit an official exception request that routes to this person, who can then grant exemptions using organization-wide rules, repository-specific rules, or wildcard rules for vendor or internal packages.

Why this matters for WordPress teams

The WordPress ecosystem runs on a mixture of GPL-licensed core, themes, and plugins on the directory, alongside a long tail of commercial plugins with their own licence terms. Once you add Composer-managed libraries or third-party SDKs into a custom build, the transitive dependency graph becomes uncomfortable quickly. A tool that surfaces licence questions at the pull request stage, rather than during a future audit, is genuinely useful for agency leads and WooCommerce merchants who ship code under commercial agreements.

GitHub's own Open Source Program Office spent roughly two months as the early adopter, starting from a permissive allowlist built around MIT, Apache 2.0, and BSD-3-Clause before layering on stricter rules. That sequence matters: roll out in Evaluate mode first, watch the noise, then tune. Expect the same curve in your own repos.

What to verify before the rollout reaches you

The feature is available to GitHub Advanced Security customers and works across repositories in GitHub Enterprise Cloud organisations that hold an active GHAS Code Security licence. If your agency plan does not include Advanced Security, this particular tool will not appear in your settings yet; however, it is worth checking with your account team now, since licence problems caught early are far cheaper than ones discovered post-release.

For now, take three concrete steps. Firstly, audit the licence declarations on every Composer dependency in your current custom builds, paying particular attention to anything with unusual or missing metadata. Secondly, draft a starter allowlist using MIT, Apache 2.0, and BSD-3-Clause as your baseline, then expand it only after you have reviewed real traffic in Evaluate mode. Consequently, assign an internal owner for the policy manager role, even informally, so exception requests do not stall in someone's inbox while a release waits.

We have covered what GitHub's new compliance scanner does, why WordPress-focused teams should pay attention now, and the first three checks worth running before your pipeline feels the change. From here, the next step is a quiet pilot in Evaluate mode against one repository, followed by a written exception policy your developers can reference without guessing.