Skip to main content

Open Source Compliance Common Rules Template

Rules Generator

Select options in the generator below to create a configuration file you can download immediately.

Overview

This template is a common ruleset that makes AI coding tools automatically recognize open source policy when generating code. Paste it into each tool's configuration file such as CLAUDE.md, .cursorrules, or .clinerules. Please modify the allowed/forbidden license lists to match your internal policy.

Full template

---
## Open Source Policy

### License Management

When adding new external packages/libraries, always verify and document the license.

**Allowed Licenses**: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

**Review Required Licenses** (legal review required): LGPL, MPL

**Prohibited Licenses** (cannot be used without prior approval): GPL, AGPL, SSPL, Commons Clause

### Security Management

- Do not use package versions with known CVEs
- After adding dependencies, run one of the following commands:
  - npm: `npm audit`
  - Python: `pip-audit`
  - Container/General: `trivy fs .`
- Use the latest stable package version whenever possible

### SBOM Management

- SBOM update required when dependencies change
- Generation tools: cdxgen, syft, trivy
- Recommended format: CycloneDX (alternative: SPDX)

### Copyright

- Keep existing code copyright headers
- Include project license header when creating new files
- When copying code from another project, include source and license
---

Copy the content above and paste it into each tool's settings file. For tool-specific application steps, see the links below.

Section-by-section explanation

Allowed, caution, and forbidden licenses

Allowed licenses in the MIT, Apache-2.0, BSD, and ISC families generally permit commercial use, modification, and distribution with notice obligations only, making them safe for most enterprise projects.

Caution licenses such as LGPL and MPL may trigger source disclosure obligations depending on how they are used, so legal review is required.

GPL, AGPL, SSPL, and Commons Clause cannot be used without prior approval due to derivative-work disclosure obligations or commercial-use restrictions.

LicenseClassificationPrimary reason
MITAllowedNotice obligation only, no restrictions
Apache-2.0AllowedIncludes explicit patent grant
BSD-2/3-ClauseAllowedSimilar to MIT, no advertising clause
ISCAllowedSimplified MIT-family variant
LGPLCautionPossible source disclosure obligation for dynamic linking
MPLCautionSource disclosure obligation for modified files
GPLForbiddenFull derivative source disclosure obligation
AGPLForbiddenSource disclosure obligation for network use as well
SSPLForbiddenFull service infrastructure disclosure obligation
Commons ClauseForbiddenRestricts commercial use

Security management

Because AI may recommend outdated versions based on its training data, it is important to run an audit command after adding packages and verify CVE exposure.

Prioritize the latest stable versions that include security patches. If you must pin a specific version, verify that no known vulnerabilities affect that version before use.

SBOM management

An SBOM is a specification that records all dependencies used by a project and serves as the foundation for vulnerability tracking and license audits. For CI/CD integration, refer to Quick CI/CD.

Internal policy customization

You should definitely customize this section

When adding allowed licenses, include only licenses approved by your internal legal team in the allowed list.

If you need to relax forbidden licenses and have an exception approved for a specific component, annotate that item with the approval reason and date.

You can also add language-specific audit commands to match your environment. For example, add cargo audit for Rust, govulncheck for Go, and dependency-check for Java in the security management section.

Tool-specific application

Self-study

Apply to a real project with Claude Code

The generator above creates a generic template. To analyze real project dependencies and generate customized files, use the agent below.

Prerequisite: Clone the Trusted OSS repository

cd agents/ai-coding-setup
claude

The agent automatically performs the following:

  • Analyzes project dependency files (package.json, requirements.txt, etc.)
  • Pre-detects forbidden-license packages and suggests replacement packages
  • Generates customized Rules files per selected AI coding tool
  • Generates a license risk report