ensures that software projects remain legally compliant by automatically verifying that all direct and transitive dependencies use licenses approved by the organization.
When to Use
Dependency Onboarding
Run when adding a new library to a project.
CI/CD Gates
Use as a blocking step in pipelines to prevent merging code with non-compliant licenses (e.g., preventing GPL in a proprietary product).
Release Preparation
Audit the entire dependency tree before a major release.
When NOT to Use
Legal Advice
This tool provides technical checks based on metadata; it does not replace professional legal counsel.
Custom Licenses
It may struggle with proprietary or highly customized license text not found in SPDX registries.
Error Conditions and Edge Cases
Missing Metadata
If a package doesn't define a license in its manifest, it will be flagged as "Unknown".
Dual Licensing
Packages with multiple licenses (e.g., "MIT OR GPL") will require manual review.
Unsupported Ecosystems
Attempting to run on a language not supported by the
ecosystem
input will fail.
Security and Data-Handling Considerations
ReadOnly
The tool only reads manifest files.
Privacy
No source code is uploaded; only package names and versions are used to check license registries.