Skip to main content
FOSSA Logo

From Scan to Attribution: Tigera's Automated Open Source License Compliance Program

Tigera is the creator of Calico, the world's most widely adopted open source container networking and security solution. With both a fully open source offering and an enterprise-grade platform, Tigera supports the networking and security needs of organizations running Kubernetes at scale and offers the best NSX alternative to connect, secure and observe VMs running on Kubernetes.

As you might expect given its standing at the intersection of open source and enterprise software, Tigera places a priority on maintaining a strong open source license compliance program. This includes automating as much as can be automated across its dependency inventory, policy implementation, and attribution notice creation.

Four years ago, after growing frustrated with its previous tool, Tigera chose FOSSA to help manage license compliance. Now, with FOSSA fully embedded in Tigera's CI pipeline and attribution workflow, the team ships with confidence, knowing no license issue will slip through undetected.

"FOSSA definitely helps us and our team to keep our minds off of license issues and attributions."

— Sujeet Kumar, Engineering Manager, Tigera

The Challenge: Shallow Scans, Manual Work, and an Inflexible Tool

Before adopting FOSSA, Tigera used another platform for license scanning. While it provided basic coverage, it fell short in several important areas.

The most pressing limitation was dependency depth. Tigera's products (built primarily in Go on the back end and React on the front end) rely on a complex web of open source libraries, each of which may itself carry dozens of transitive dependencies. Most tools scan only three to five layers deep, which Tigera found insufficient.

"Our main use case is license scanning, understanding the different open source libraries we use in our product," says Sujeet. "I want to make sure that we attribute things properly to open source libraries that we have used. The depth of the dependencies was the reason why we selected FOSSA. Most of the open source tools we looked at were stopping at three or five layers deep, but FOSSA gave us more than that."

Attribution was another challenge. Tigera's team was manually assembling attribution notices, which tends to be a tedious, error-prone process. With patch releases going out frequently, there was real risk of shipping software without fully updated attributions.

The Solution: Comprehensive Automation with FOSSA

Since switching to FOSSA, Tigera has built a compliance pipeline that runs continuously alongside every code change. This helps catch potential licensing issues early and significantly reduces the manual toil related to license compliance.

Tigera's FOSSA usage includes several highlights.

  1. CI-integrated scanning. Every CI run triggers a FOSSA scan automatically. Scans run in the background without blocking pipelines, so engineers aren't slowed down waiting for results. When a scan completes, violations are reported directly to a dedicated Slack channel. "Every CI has the FOSSA scanner attached to it," Sujeet says. "Once the scans run in the background and complete, we publish the reports to Slack."
  2. Custom policies. Tigera started with FOSSA's pre-built policy templates (which were created with guidance from experts like Heather Meeker) and extended them with custom exceptions. In scenarios where Tigera wishes to apply custom license exceptions, the team can document those in policy, reducing false positives and keeping alerts actionable.
  3. Package labels. Tigera uses FOSSA's Package Labels feature to group connected packages into a single view, generating a unified compliance report rather than stitching together results from several separate sources.
  4. Automated attribution notices. One of the team's most meaningful improvements has been handing attribution notice generation entirely to FOSSA. Rather than assembling a document by hand, Tigera now simply links to the FOSSA-generated attribution page from its documentation and updates the link whenever a new scan runs.
"We used to create our own attribution page," Sujeet says. "Now, we just use FOSSA's generated attribution page. We scan, create the web page, add whatever policies and exceptions we need, and then link to it from our docs. Even with a patch release, we can update, because it's all automated."

The Outcome: No Missed Releases, No License Surprises

With FOSSA fully embedded in its workflow, Tigera has eliminated the compliance blind spots that existed under its previous tooling.

The team now confidently (and automatically) updates attribution notices following all releases. Component identification is comprehensive. And with CI scanning running on every pull request, issues surface immediately rather than accumulating undetected.

Tigera anticipates expanding its use of FOSSA moving forward. The company plans to explore SBOM and attestation workflows in the future. For now, FOSSA remains a foundational piece of its engineering infrastructure.

The three FOSSA capabilities Tigera values most? CI integration, automated attribution reports, and policies. "Those three are very helpful for us," Sujeet says.

For any organization considering a more rigorous approach to open source compliance, Sujeet's advice is direct:

"Definitely make use of all the automation that FOSSA provides. Nobody wants to do things manually. Make use of policies. It definitely makes your life easier."