Quick Guide: Software Licence Assurance Certificate

This certificate confirms that a project integrates mature, sustainable, and traceable licence and dependency management practices into its software development and delivery lifecycle. It indicates that licensing and dependency management processes have been implemented, verified, and appropriately documented. It also confirms readiness for compliant, continuous governance and distribution.

It may cover a single project or a group of related software products under unified ownership and management.

The certificate remains valid indefinitely, provided certified practices are maintained and biennial audits are passed. It does not cover patents or legal liability, although patent concerns may be addressed during the Software Licence Assurance (SLA) review.

It requires your team to sustain licensing and dependency management practices, maintain compliance artefacts, implement governance and automation measures, document relevant processes, and conduct regular audits.

The certificate builds on the Verified Software Licence Certificate by adding structured governance, compliance automation, and continuous auditing.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

Closely related to the Verified Software Licence Certificate

• Meet all Verified Software Licence requirements for each software developed or maintained under the project
• Regularly maintain all artefacts required by the Verified Software Licence Certificate

Additional Requirements

• A Licence Compliance Officer is designated, responsible for licensing decisions and queries

• Governance policies are established and enforced, covering inbound and outbound licences, dependency management, contributions, conflict resolution, compliance tools, and audits

• Automated compliance tools are integrated into the CI/CD pipeline, with alerts for licence, version, and security issues

• Compliance rules, scanning configurations, and alert thresholds are maintained and up to date

• Team onboarding and training are implemented, with up-to-date materials available

• Development practices related to compliance tools, monitoring, and dependency management are documented

• Contribution guidelines or policies are established and followed

• Adequate general or per-software licensing policies are in place

• Compliance records are maintained for dependency approvals, licensing decisions, contributions, reviews, known vulnerabilities, and their remediation

• Compliance reviews and audits are performed regularly, documented, and tracked with findings and corrective actions

Certification Process

• Ensure Verified Software Licence compliance for each software included in the project.

• Send a request to the Licence Management Team, including:

  • Contact details of the Licence Compliance Officer

  • Results of the SLA or equivalent review for exemplary software

  • Access to the code repository for exemplary software, including all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
  • List of all dependencies with licences and security status for exemplary software
  • Results of automated checks, including examples of CI/CD compliance tool rules

  • Governance and compliance policies, including dependency and licence management guidelines

  • Evidence of governance and training activities, such as onboarding materials and contribution guidelines

  • Exemplary records of dependency management and compliance decisions

  • Exemplary records associated with one or several contributions
  • Exemplary records of known vulnerabilities and their remediation

  • Records of compliance reviews and audits

  • Clarifications or supporting notes, if needed

• Respond to the Licence Management Team’s feedback by:
  • Providing requested clarifications
  • Demonstrating compliance tool effectiveness
  • Performing remediation if required (e.g. by addressing documentation or process gaps)

• Reference the certificate in your documentation, metadata, project page, or communications.

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

Create and maintain artefacts and documents that manage, support, and track licence, dependency, and security governance:

• Core licensing artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.) for all included software
• Up-to-date onboarding and training materials for team members on licensing, security, and IPR management
• Dependency and licence management guidelines
• Dependency and licence approvals, including exception or waiver records where applicable
• Contribution guidelines
• Code testing or review records, including those tracking external contributions where applicable
• CI/CD compliance tool rules and configuration files
• SCA tool, licence, and security scan results and reports
• Records of regular dependency management and compliance decisions
• Records tracking known vulnerabilities and their remediation
• Records of monitoring alerts and responses
• Minutes or sign-off records from compliance reviews and audits
• Software Bill of Materials (SBOM) for each software (recommended)

Governance

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Maintain ongoing compliance, governance, automation measures, and licensing compliance for each software included in the project.

The Licence Management Team validates issuance and may review certificate status.

A biennial audit is required, either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.

An internal review is required following governance or leadership changes, major changes to compliance processes, or serious compliance concerns raised by users.

The certificate is valid indefinitely, unless revoked.

Additional Information

Further details are available in the Detailed Guide: Software Licence Assurance Certificate.