Does it check transitive dependencies?

Yes — paste your package-lock.json, requirements.txt, or go.sum and the tool traverses the full dependency tree, not just direct dependencies.

What licenses does it flag?

Configurable by policy. Default flags GPL-2.0, GPL-3.0, AGPL (for SaaS), and SSPL as potentially incompatible with proprietary use. MIT, BSD, Apache-2.0, and ISC are flagged as safe.

Does it produce an SBOM?

Yes — exports SPDX-format or CycloneDX SBOM JSON, compatible with GitHub Dependency Graph and enterprise procurement systems that require SBOMs for supply chain risk assessment.

DevTools Surf

License Compliance Checker

This tool is not yet implemented.

About License Compliance Checker

License Compliance Checker preview - DevOps / CI-CD tool

Verify project dependencies comply with approved open-source licenses. Part of the DevTools Surf developer suite. Browse more tools in the DevOps / CI-CD collection.

Use Cases

Audit all npm/PyPI/Maven dependencies for license compatibility before a commercial product release.
Identify GPL-licensed transitive dependencies that would trigger copyleft obligations.
Generate a bill of materials (SBOM) with license information for regulatory or enterprise procurement compliance.
Verify that all dependencies use approved licenses from an organization's open-source policy allowlist.

Tips

Check GPL vs. LGPL carefully — GPL requires the entire codebase to be open-sourced; LGPL allows dynamic linking from proprietary code.
MIT and Apache-2.0 are generally compatible; Apache-2.0 includes an explicit patent grant that MIT lacks, making Apache-2.0 safer for patent-sensitive domains.
Run compliance checks before adding any new dependency, not just before releases — catching incompatible licenses early avoids costly refactoring.

Fun Facts

The GPL (GNU General Public License) was written by Richard Stallman in 1989. Its 'copyleft' mechanism — requiring derivative works to use the same license — was legally novel and has never been successfully challenged in US courts.
The SPDX (Software Package Data Exchange) identifier system was created by the Linux Foundation in 2010 to standardize license identifiers. There are 459 SPDX-recognized licenses as of 2024.
The MIT License's full text is only 171 words — making it one of the shortest legally effective software licenses. Despite its simplicity, it has been consistently upheld in US court precedents since the 1990s.

FAQ

Does it check transitive dependencies?: Yes — paste your package-lock.json, requirements.txt, or go.sum and the tool traverses the full dependency tree, not just direct dependencies.
What licenses does it flag?: Configurable by policy. Default flags GPL-2.0, GPL-3.0, AGPL (for SaaS), and SSPL as potentially incompatible with proprietary use. MIT, BSD, Apache-2.0, and ISC are flagged as safe.
Does it produce an SBOM?: Yes — exports SPDX-format or CycloneDX SBOM JSON, compatible with GitHub Dependency Graph and enterprise procurement systems that require SBOMs for supply chain risk assessment.

Related DevOps / CI-CD Tools

CI/CD Pipeline Builder GitHub Actions Generator GitLab CI Generator Jenkins Pipeline Simulator CircleCI Config Builder Travis CI Simulator Codecov Report Analyzer Dependency Checker

DevTools Surf