License Compliance Manager

Open source license scanning, policy enforcement, obligation tracking

View the interactive project page →

License Compliance Manager

Part of the worlds-biggest-software-project initiative.

Open-source license scanning, policy enforcement, and obligation tracking for modern software supply chains.

License Compliance Manager is an AI-native software composition analysis (SCA) platform focused on open-source licence obligations. It is built for DevSecOps engineers, open-source program offices, and legal teams who need to detect licence risk, enforce policy in CI/CD, and produce regulator-ready SBOMs without paying enterprise SaaS prices.


Why License Compliance Manager?

  • Enterprise incumbents (FOSSA, Black Duck, Sonatype Nexus Lifecycle) are custom-quoted at $20,000–$200,000+/year and remain out of reach for smaller teams that still face the same regulatory exposure.
  • Black Duck delivers thorough binary and source analysis but is complex to deploy and heavily priced; teams want comparable depth without the operational burden.
  • Snyk Open Source has strong developer UX but treats licence compliance as a secondary concern behind vulnerability scanning.
  • Open-source options like FOSSology lack a modern SaaS UX and meaningful policy enforcement; SCANOSS is fast at snippet matching but has a smaller surrounding ecosystem.
  • AI-generated code introduces new attribution ambiguity — LLM outputs may carry copyleft obligations from training data — and current tools are not yet equipped to handle this.

Key Features

Scanning and Detection

  • Automated dependency scanning across source code and binaries
  • High-accuracy licence detection
  • Sublicense and embedded licence detection
  • Multi-language support

Policy and Enforcement

  • Policy enforcement and flagging in build pipelines
  • Custom policy management
  • CI/CD integration with enforcement gates
  • Continuous compliance monitoring

SBOM and Reporting

  • SBOM generation
  • Vulnerability data integration
  • Reporting for legal, procurement, and DevSecOps consumers
  • Automated alerting on policy violations

AI-Augmented Compliance

  • Licence conflict resolution recommendations
  • Automated remediation suggestions
  • Compliance trend analysis
  • Licence substitution optimisation

AI-Native Advantage

Traditional file-header scanning misses licence obligations embedded in AI-generated code; this project targets that gap directly. Legal teams can author policies in natural language ("no GPL in customer-facing products; LGPL permitted in internal tools") and have them auto-translated into enforcement rules. Attribution notices, disclosure documents, and source-offer letters required by copyleft licences can be generated as part of the release pipeline, and continuous licence-drift detection alerts teams when a dependency silently changes its licence between patch versions.


Tech Stack & Deployment

The project aligns with established SBOM standards: SPDX (ISO/IEC 5962:2021), CycloneDX (OWASP), and the NTIA Minimum Elements baseline mandated under US EO 14028. The OSI-approved licence list is the canonical reference for policy mapping. Deployment is expected to support self-hosted operation (in line with FOSSology / SCANOSS expectations) alongside CI/CD integrations for build-time enforcement.


Market Context

The SBOM management market is projected to grow significantly through 2030, driven by US federal EO 14028 mandates and the EU Cyber Resilience Act, with North America showing a 60%+ increase in compliance tool procurement over the past two years and European demand growing 35% year-on-year (Technavio 2026; Black Duck OSSRA 2026). Enterprise SCA tools typically cost $20,000–$200,000+/year, while developer-first tools such as Snyk start at $25/dev/month. Primary buyers are Chief Legal Officers and IP counsel, DevSecOps engineers, procurement teams, and open-source program offices.


Project Status

This project is in the research and specification phase.
Contributions, feedback, and domain expertise are welcome.


Contributing

We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.

Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.


Licence

Licence to be determined. See discussion for context.