Software Licensing Compliance Checklist

Annual review a platform or engineering manager runs to inventory open-source and commercial software licenses, resolve copyleft conflicts, and produce audit-ready documentation. Covers SBOM generation, SCA scanning, procurement, and ongoing monitoring.

5 sections 20 steps Collects data
1

License Inventory and SBOM Generation

  1. Generate the SBOM in CycloneDX or SPDX format

    • Run Syft, CycloneDX-CLI, or your build tool's native SBOM generator (e.g., npm sbom, Maven CycloneDX plugin) against the production build artifact — not just the repo. Generating against the repo misses transitive deps that only appear in the resolved lockfile. Save the SBOM as a release artifact since EO 14028 federal contracts require it.

    Collects file
  2. Run an SCA scan with Snyk or FOSSA

    • Snyk, FOSSA, GitHub Advanced Security, and Black Duck all surface license metadata alongside CVE data. Configure the scan to fail on unknown or custom licenses — these are the most common cause of audit findings since reviewers can't classify them automatically.

  3. Catalog direct and transitive dependencies

    • Reconcile the SBOM and SCA outputs against the license register. Pay attention to deps that pulled in new transitive dependencies since the last review — package authors swap implementations regularly, and a benign MIT lib can silently start depending on an LGPL package.

  4. Flag copyleft licenses in the inventory

    • GPL, AGPL, LGPL, SSPL, and Elastic License 2.0 all carry obligations that may conflict with proprietary distribution. AGPL is the highest-risk for SaaS — it triggers source disclosure on network use, not just distribution. Note any matches with package name, version, and the file path where it's referenced.

    Collects list
2

Open-Source License Review

  1. Confirm the product distribution model

    • Pure SaaS distribution carries different obligations than shipping a downloadable binary, mobile app, or on-prem container. Most permissive licenses (MIT, Apache-2.0, BSD) only trigger attribution when you distribute artifacts; AGPL triggers on network use regardless. Mark Yes if the company ships binaries, container images, mobile apps, or on-prem agents to customers.

    Collects list
  2. Map each license to its intended use

    • Use the company's approved-license policy as the rubric. Common allow-list: MIT, Apache-2.0, BSD-2/3-Clause, ISC, MPL-2.0 (file-level copyleft is usually acceptable). Common deny-list for proprietary SaaS: AGPL, SSPL, Commons Clause, custom non-OSI licenses.

  3. Escalate copyleft conflicts to legal and engineering

    • For each flagged dep, document three options for the engineering owner: replace with a permissive alternative, isolate behind a service boundary that breaks the copyleft scope, or accept the obligation and publish source. Loop in legal before any decision — copyleft scope determinations are jurisdiction-specific and not safe to make alone.

  4. Get legal sign-off on the open-source inventory

    • Counsel reviews the full inventory and any escalated conflicts before procurement and release work proceeds. Capture a signature with the date — auditors (SOC 2, M&A diligence) ask for evidence that legal reviewed the inventory, not just that it exists.

    Collects signature
3

Commercial License Procurement

  1. Identify paid IDE and SaaS licenses needed

    • Common engineering line items: JetBrains All Products Pack, GitHub Enterprise, Datadog, Sentry, Snyk, 1Password Business, Atlassian Jira/Confluence, Figma. Cross-reference against current headcount + planned hires for the renewal term, not just current seats.

  2. Negotiate seat counts and term length with vendors

    • Multi-year terms get 10–20% discounts but lock you in; annual gives flexibility but fewer concessions. For volume tiers (Datadog hosts, Snyk projects), get the next tier's pricing in writing so a mid-term overage doesn't trigger list-price billing.

  3. Record purchase orders and renewal dates

    • Log each license in the central register with vendor, contract effective date, renewal date, auto-renewal flag, and notice-of-non-renewal window. Set a calendar reminder 90 days before each renewal — vendor auto-renewal clauses commonly require 30–60 days written notice to cancel.

  4. Confirm activation and seat assignments

    • Verify that SCIM or SSO provisioning is wired up before assigning seats manually — manual assignment becomes an offboarding gap when an engineer leaves. Reconcile vendor-side seat counts against the IdP source of truth (Okta, Entra ID, Google Workspace).

4

Ongoing Compliance and Monitoring

  1. Configure Dependabot or Renovate license alerts

    • Renovate's allowedLicenses config and Snyk's policy engine can fail PRs that introduce a denylisted license. Wire this into branch protection so the rule can't be bypassed with a stale CI check — see the SOC 2 change-management control.

  2. Schedule the quarterly seat-utilization audit

    • Pull last-login dates from each commercial vendor's admin console. Reclaim any seat dormant for more than 60 days — most teams overpay by 15–25% on JetBrains, Datadog, and Atlassian seats assigned to alumni or contractors who rolled off.

  3. Monitor upstream relicensing announcements

    • Recent precedents: Elasticsearch (Apache → SSPL/Elastic in 2021), MongoDB (AGPL → SSPL in 2018), Redis (BSD → SSPL/RSAL in 2024), HashiCorp Terraform (MPL → BSL in 2023). Subscribe to the upstream blog or GitHub Discussions for any dep that's foundational to the product.

  4. Train engineers on the approved-license policy

    • Cover the allow-list, the deny-list, what to do when a PR fails the license check, and the escalation path for a business-critical dep that's denylisted. Include onboarding training for new hires — most license violations come from engineers who didn't know there was a policy.

5

Documentation and Audit Reporting

  1. Compile the NOTICE file with attribution text

    • Apache-2.0 requires NOTICE propagation; MIT and BSD require copyright + license text. Tools like license-checker, go-licenses, or FOSSA's attribution export produce the file in the format auditors expect. Ship it inside the binary, the container image, and the public download page.

  2. Attach the SBOM to the release artifact

    • Sign the SBOM with Cosign or sigstore so downstream consumers can verify provenance — SLSA Level 3 and federal procurement baselines now expect signed SBOMs. Publish alongside the release in GitHub Releases or your artifact registry.

  3. Generate the quarterly compliance report

    • Summarize: new dependencies added since last quarter, license changes detected, copyleft escalations resolved, seat-utilization findings, and renewal calendar for the next 90 days. This is the artifact SOC 2 auditors and M&A diligence reviewers ask for first.

    Collects file
  4. Update the license register on dependency changes

    • Treat the register as a living document, not an annual artifact. Any merged PR that adds, removes, or upgrades a top-level dependency should trigger a register update — automate the diff via a CI job that compares the lockfile before and after, and posts a summary to the register.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 20
Category Software Development
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Software Development

Backup and Recovery Checklist

View
Software Development

New Developer Onboarding Checklist

View
Software Development

User Acceptance Testing Checklist

View
Software Development

Backlog Prioritization Checklist

View

Run Software Licensing Compliance Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial