Third Party and Contractor Code Governance

Most open source governance is built around internal teams: their intake gates, their allowlists, their pipelines. But a large share of the code in a typical enterprise estate was not written internally. It came from contractors, integrators, and software vendors, each making independent open source choices under their own assumptions. When that code enters your systems, its license exposure enters with it, and it sits under your name regardless of who selected the component. Governance that stops at the boundary of your own developers leaves this entire surface uncovered.

Why code you did not write becomes your exposure

A contractor who pulls in a convenient library is solving their immediate problem, not managing your long term license risk. If that library has relicensed, or carries copyleft obligations, the consequence lands on you when the deliverable goes to production. The relicensing wave makes this concrete. As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1. Redis moved to a dual model with the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021. A contractor build that embeds one of these, or something that depends on it, hands you the exposure without the knowledge. You inherit the risk and, often, the surprise.

Require an SBOM with every delivery

The first control is simple: nothing enters production without a bill of materials. A third party delivery should arrive with a software bill of materials that resolves the full dependency tree and records the license of each component, so you can see what you are actually accepting. Code that cannot be inventoried should not be accepted, because an unknown is an exposure you cannot size. The SBOM also has to be kept current after delivery, since the components in it can relicense later, a discipline we cover in maintaining an accurate SBOM.

Run third party code through the same intake gate

Code from outside should not get an easier path than code from inside. The same intake gate that flags a relicensed or disallowed component in your own builds should apply to third party deliverables, ideally before acceptance rather than after merge. This stops the common failure where external code bypasses controls simply because it arrived as a finished artifact rather than a series of commits. A gate that treats all incoming code alike is what keeps the governance you built for internal teams from being undone at the contractor boundary. Most of the highest risk components arrive transitively, which is why the gate has to read the full tree, as we explain in transitive dependencies and hidden license risk.

Put license obligations in the contract

Technical controls work best when the contract backs them. Clear language on which licenses are permitted, a requirement to disclose every component delivered, and a defined responsibility for relicensing exposure turn an assumption into an obligation. With those terms in place, a third party that ships a problem component is accountable for it, and you have a record of the standard they agreed to meet. The drafting and interpretation of this language is a matter for your own counsel, not for an advisory firm, but the governance program should make sure the requirement exists and is enforced. This sits alongside the procurement controls covered across the governance and SBOM pillar.

Make third party governance routine

The goal is for none of this to be exceptional. SBOM on delivery, the same intake gate, and contractual obligations should be standard terms of engagement for every third party, applied the same way each time. When they are, a relicense in a vendor delivered component is caught at intake rather than discovered in an audit, and the exposure you carry is the exposure you chose to accept with open eyes. An open source license risk assessment can establish where your current third party exposure sits before you wire these controls into every contract.

We help buyers build third party governance from the buyer side. We take no vendor fees and resell no software, so the controls we recommend serve your risk tolerance rather than a product we are paid to place. This is commercial and licensing risk advisory, not legal advice. For interpretation of specific license terms, contract drafting, and your compliance position, engage your own counsel.