[reiger]

For initial import I like it to be a manual process so I can judge risk. I have some really bad python scripts that read/write excel documents that will alert me when licenses change.

My plan is to move to Black Duck or the commercial libraries.io subscription for my automation needs.

For Kubernetes I'm really impressed with Aqua Security as they do OSS license adherence and OSS security vuln alerting if you only deploy into containers. It's not a cheap product, but love how they do OSS assurance as part of build and deployment. It's a nice model that allows a central security team to use technology to enforce policies - good for "research" environments where dev/researchers don't want to do any effort for OSS packages.