License compliance

Catch AGPL contamination on day one, not in diligence

Acquirer counsel finds the GPL-licensed dep buried six levels deep in your transitive tree six weeks into the deal. RepoWarden surfaces it the day someone adds it.

Sign in with SSO →
01Why buyers care

License contamination kills acquisitions

It's a lawyer problem until it's a fire. Procurement asks. Auditors ask. Engineering doesn't have time to police the SPDX field on every transitive dep — RepoWarden does.

Acquisition deal-breaker

AGPL inside a closed-source SaaS surfaces during diligence, slashes valuation, and forces a six-week refactor under deal pressure.

Customer procurement gates

Enterprise buyers ask for a software bill of materials with licenses. "We don't track that" is a stalled deal.

Supply-chain license flips

A maintainer changes their licence from MIT to BUSL — the npm registry lets it through. RepoWarden flags the change between versions as a high-priority finding.

02How it works

Every dep, resolved to a canonical SPDX id

RepoWarden walks every direct dependency, normalises the license to a canonical SPDX identifier, and evaluates it against the license your project ships under.

  • package.json `license` field is the first source of truth.
  • npm registry metadata fills in deps that don't carry their own.
  • LICENSE-file scan catches old packages with no manifest field.
  • Anything we can't auto-detect is surfaced as "needs review" — never guessed.
  • Dual-licensed (`MIT OR GPL-2.0`) deps pick the most permissive option for you.
allowedreact
MIT·manifest
allowed@anthropic-ai/sdk
MIT OR Apache-2.0·manifest
allowednode-cron
ISC·registry
blockobscure-helper
AGPL-3.0-only·manifest
warnlegacy-pkg
unknown·needs review

Example license report

# Default policy: PROPRIETARY project
MIT, Apache-2.0, BSD, ISC: allowed
MPL-2.0, LGPL: warn
GPL-2.0, GPL-3.0: block (critical)
AGPL-3.0: block (critical)
Unknown: warn (needs review)
03Policy engine

Policies tuned to your project license

Tell us once whether the repo is proprietary, MIT, Apache, GPL, or AGPL — RepoWarden picks the right matrix. Need a different rule? Compliance-tier customers can override the verdict on any SPDX id without writing a custom checker.

  • Sensible defaults for the common cases — proprietary, permissive, copyleft.
  • AGPL/GPL in a closed-source codebase is always a Critical task.
  • License changes between dep versions trigger a notification, even when the new license is permissive.
  • Per-repo overrides for teams that have explicit legal sign-off on a specific license.

Per-repo Licenses tab

A breakdown chart of every license in your tree, a filterable dependency table grouped by ruling, and inline change tracking when a dep flips license between scans.

  • License breakdown chart, ranked by frequency
  • Filter by Blocked / Review / Unknown
  • Dependency-level rationale for every verdict
  • Inline policy editor for switching project license

License conflicts as tasks

Conflicts land in the same kanban as CVEs and dependency updates. Severity is tuned to your declared project license — AGPL inside a proprietary repo is always Critical.

  • Critical priority for AGPL/GPL in proprietary repos
  • License-changed-between-versions surfaced as high priority
  • Bundled per repo so the kanban doesn't get spammed
  • Included in the public compliance report (when enabled)
Get started

Know what's in your dependency tree

Connect a repo, declare its license, and get a per-dependency verdict on the next scan. No agents, no CI changes.

View pricing