License Compliance Auditor
Purpose and Intent
The license-compliance-auditor ensures that software projects remain legally compliant by automatically verifying that all direct and transitive dependencies use licenses approved by the organization.
When to Use
- Dependency Onboarding: Run when adding a new library to a project.
- CI/CD Gates: Use as a blocking step in pipelines to prevent merging code with non-compliant licenses (e.g., preventing GPL in a proprietary product).
- Release Preparation: Audit the entire dependency tree before a major release.
When NOT to Use
- Legal Advice: This tool provides technical checks based on metadata; it does not replace professional legal counsel.
- Custom Licenses: It may struggle with proprietary or highly customized license text not found in SPDX registries.
Error Conditions and Edge Cases
- Missing Metadata: If a package doesn't define a license in its manifest, it will be flagged as "Unknown".
- Dual Licensing: Packages with multiple licenses (e.g., "MIT OR GPL") will require manual review.
- Unsupported Ecosystems: Attempting to run on a language not supported by the
ecosysteminput will fail.
Security and Data-Handling Considerations
- ReadOnly: The tool only reads manifest files.
- Privacy: No source code is uploaded; only package names and versions are used to check license registries.