Day 4 of 60
·
Static analysis & type-time
License compliance
The cheapest legal letter you'll ever receive is the one that doesn't arrive. The GPL-in-proprietary discovery is uglier on a lawyer's desk than on an engineer's.
ProblemIncompatible licenses (GPL in proprietary code, AGPL in SaaS) creating legal exposure.
How it works
Scanner that walks the dependency tree and reports license terms. Block-list configured per project type.
What it catches
Legal/IP risk. Mostly a checklist item, but the cost of finding out late is enormous.
Tools
ScanCode Toolkit · OSS FOSSA · SaaS Snyk License · SaaS
Verdict by project size
Small
Skip
Medium
Opt
Large
Rec
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 2h | 0.25h | $0 | +0.25m |
| Medium 10–100k LOC | 1d | 2h | $0 | +0.5m |
| Large 100k–1M LOC | 5d | 10h | $1k | +1m |
| Extra-large >1M LOC | 15d | 40h | $5k | +2m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Code Build
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Developer
Authoring + the inner loop
Collaborates with: Security / AppSec
Reference implementations
-
ScanCode Toolkit
Open-source license and package metadata scanner used for compliance workflows.
-
FOSSA CLI
Dependency license and compliance scanning workflow used in CI.
-
ORT
End-to-end open-source review toolkit for license, vulnerability, and provenance analysis.
Quick check
What is the primary risk license-compliance scanning addresses?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.