Software Licensing Compliance Checklist

Run Syft, CycloneDX-CLI, or your build tool's native SBOM generator (e.g., npm sbom, Maven CycloneDX plugin) against the production build artifact — not just the repo. Generating against the repo misses transitive deps that only appear in the resolved lockfile. Save the SBOM as a release artifact since EO 14028 federal contracts require it.

Snyk, FOSSA, GitHub Advanced Security, and Black Duck all surface license metadata alongside CVE data. Configure the scan to fail on unknown or custom licenses — these are the most common cause of audit findings since reviewers can't classify them automatically.

Reconcile the SBOM and SCA outputs against the license register. Pay attention to deps that pulled in new transitive dependencies since the last review — package authors swap implementations regularly, and a benign MIT lib can silently start depending on an LGPL package.

GPL, AGPL, LGPL, SSPL, and Elastic License 2.0 all carry obligations that may conflict with proprietary distribution. AGPL is the highest-risk for SaaS — it triggers source disclosure on network use, not just distribution. Note any matches with package name, version, and the file path where it's referenced.

Pure SaaS distribution carries different obligations than shipping a downloadable binary, mobile app, or on-prem container. Most permissive licenses (MIT, Apache-2.0, BSD) only trigger attribution when you distribute artifacts; AGPL triggers on network use regardless. Mark Yes if the company ships binaries, container images, mobile apps, or on-prem agents to customers.

Use the company's approved-license policy as the rubric. Common allow-list: MIT, Apache-2.0, BSD-2/3-Clause, ISC, MPL-2.0 (file-level copyleft is usually acceptable). Common deny-list for proprietary SaaS: AGPL, SSPL, Commons Clause, custom non-OSI licenses.

For each flagged dep, document three options for the engineering owner: replace with a permissive alternative, isolate behind a service boundary that breaks the copyleft scope, or accept the obligation and publish source. Loop in legal before any decision — copyleft scope determinations are jurisdiction-specific and not safe to make alone.

Counsel reviews the full inventory and any escalated conflicts before procurement and release work proceeds. Capture a signature with the date — auditors (SOC 2, M&A diligence) ask for evidence that legal reviewed the inventory, not just that it exists.

Common engineering line items: JetBrains All Products Pack, GitHub Enterprise, Datadog, Sentry, Snyk, 1Password Business, Atlassian Jira/Confluence, Figma. Cross-reference against current headcount + planned hires for the renewal term, not just current seats.

Multi-year terms get 10–20% discounts but lock you in; annual gives flexibility but fewer concessions. For volume tiers (Datadog hosts, Snyk projects), get the next tier's pricing in writing so a mid-term overage doesn't trigger list-price billing.

Log each license in the central register with vendor, contract effective date, renewal date, auto-renewal flag, and notice-of-non-renewal window. Set a calendar reminder 90 days before each renewal — vendor auto-renewal clauses commonly require 30–60 days written notice to cancel.

Verify that SCIM or SSO provisioning is wired up before assigning seats manually — manual assignment becomes an offboarding gap when an engineer leaves. Reconcile vendor-side seat counts against the IdP source of truth (Okta, Entra ID, Google Workspace).

Renovate's allowedLicenses config and Snyk's policy engine can fail PRs that introduce a denylisted license. Wire this into branch protection so the rule can't be bypassed with a stale CI check — see the SOC 2 change-management control.

Pull last-login dates from each commercial vendor's admin console. Reclaim any seat dormant for more than 60 days — most teams overpay by 15–25% on JetBrains, Datadog, and Atlassian seats assigned to alumni or contractors who rolled off.

Recent precedents: Elasticsearch (Apache → SSPL/Elastic in 2021), MongoDB (AGPL → SSPL in 2018), Redis (BSD → SSPL/RSAL in 2024), HashiCorp Terraform (MPL → BSL in 2023). Subscribe to the upstream blog or GitHub Discussions for any dep that's foundational to the product.

Cover the allow-list, the deny-list, what to do when a PR fails the license check, and the escalation path for a business-critical dep that's denylisted. Include onboarding training for new hires — most license violations come from engineers who didn't know there was a policy.

Apache-2.0 requires NOTICE propagation; MIT and BSD require copyright + license text. Tools like license-checker, go-licenses, or FOSSA's attribution export produce the file in the format auditors expect. Ship it inside the binary, the container image, and the public download page.

Sign the SBOM with Cosign or sigstore so downstream consumers can verify provenance — SLSA Level 3 and federal procurement baselines now expect signed SBOMs. Publish alongside the release in GitHub Releases or your artifact registry.

Summarize: new dependencies added since last quarter, license changes detected, copyleft escalations resolved, seat-utilization findings, and renewal calendar for the next 90 days. This is the artifact SOC 2 auditors and M&A diligence reviewers ask for first.

Treat the register as a living document, not an annual artifact. Any merged PR that adds, removes, or upgrades a top-level dependency should trigger a register update — automate the diff via a CI job that compares the lockfile before and after, and posts a summary to the register.