What is license-compliance-checker?

A tool that automatically verifies license compliance across dependencies during migration, including license identification, compatibility checks, copyleft flagging, attribution tracking, policy enforcement, and report generation.

What outputs does it produce?

An analysis payload with licenses, SPDX IDs, compatibility, attribution requirements, risk levels, a compliance status, and an SBOM path suitable for auditing.

How does it integrate with migration processes?

It plugs into migration workflows (e.g., dependency-analysis-updates, legacy-codebase-assessment) and can integrate with external tools via API (FOSSA, WhiteSource, Black Duck) or CLI (license-checker, licensee, go-licenses, pip-licenses).

license-compliance-checker

npx machina-cli add skill a5c-ai/babysitter/license-compliance-checker --openclaw

Files (1)

SKILL.md

2.9 KB

License Compliance Checker Skill

Automated verification of license compliance across all project dependencies to ensure legal compliance during migration activities.

Purpose

Enable comprehensive license compliance checking for:

Dependency license identification
Compatibility verification
Copyleft license flagging
Attribution requirement tracking
Policy enforcement

Capabilities

1. License Identification

Extract licenses from dependencies
Parse SPDX identifiers
Detect custom licenses
Handle multi-license packages

2. Compatibility Checking

Verify license compatibility
Check against project license
Identify conflicting licenses
Map dependency license chains

3. Copyleft License Flagging

Detect GPL/AGPL licenses
Identify viral clauses
Flag distribution implications
Alert on copyleft in proprietary projects

4. Attribution Requirement Tracking

Collect NOTICE requirements
Track attribution obligations
Generate attribution documents
Monitor compliance completeness

5. Policy Enforcement

Define allowed/blocked licenses
Enforce organizational policies
Generate compliance reports
Track policy violations

6. Compliance Report Generation

Create audit-ready reports
Generate SBOM with licenses
Produce attribution files
Export compliance evidence

Tool Integrations

Tool	Purpose	Integration Method
FOSSA	Full compliance platform	API
WhiteSource	License scanning	API
Black Duck	Comprehensive analysis	API
license-checker	npm license checking	CLI
licensee	License detection	CLI
go-licenses	Go license checking	CLI
pip-licenses	Python license checking	CLI

Output Schema

{
  "analysisId": "string",
  "timestamp": "ISO8601",
  "projectLicense": "string",
  "dependencies": [
    {
      "name": "string",
      "version": "string",
      "license": "string",
      "spdxId": "string",
      "compatible": "boolean",
      "attributionRequired": "boolean",
      "riskLevel": "high|medium|low|none"
    }
  ],
  "compliance": {
    "status": "compliant|non-compliant|review-required",
    "violations": [],
    "warnings": [],
    "attributionNeeded": []
  },
  "sbom": {
    "format": "SPDX|CycloneDX",
    "path": "string"
  }
}

Integration with Migration Processes

dependency-analysis-updates: License verification
legacy-codebase-assessment: Compliance assessment

Related Skills

dependency-scanner: Dependency discovery
vulnerability-scanner: Security + compliance

Related Agents

dependency-modernization-agent: License-safe updates
compliance-migration-agent: Full compliance

Source

git clone https://github.com/a5c-ai/babysitter/blob/main/plugins/babysitter/skills/babysit/process/specializations/code-migration-modernization/skills/license-compliance-checker/SKILL.md

View on GitHub

Overview

Automatically verify license compliance across all project dependencies during migration. Identifies licenses, checks compatibility with the project license, flags copyleft risks, tracks attribution requirements, enforces policies, and generates audit-ready reports and SBOMs.

How This Skill Works

The skill extracts licenses from dependencies, parses SPDX identifiers, and detects custom or multi-license packages. It then validates license compatibility, flags copyleft issues, collects attribution requirements, enforces policy rules, and produces a formal compliance report and SBOM suitable for audits.

When to Use It

During migration or modernization of a codebase to ensure dependencies meet organizational licensing policies
When upgrading dependencies to identify license changes and potential policy violations
For legacy codebase assessments prior to migration to establish baseline compliance
During legal/compliance audits to generate SBOMs and attribution documents
When enforcing or validating organizational license policies across a multi-language project

Quick Start

Step 1: Run license-compliance-checker on the target repository with your policy configuration
Step 2: Review dependencies for SPDX licenses, compatibility, and copyleft flags
Step 3: Export the SBOM and compliance report for audit and governance

Best Practices

Map every dependency to its SPDX license identifier and note any custom licenses
Flag copyleft licenses early and assess distribution implications for proprietary projects
Cross-check dependency licenses against the project license and policy allowlists/denylists
Capture NOTICE requirements and attribution obligations; generate attribution documents
Generate and store SBOMs and compliance evidence for audits and regulatory reviews

Example Use Cases

Migrating a Node.js monorepo to a modern dependency set while ensuring license compliance
Upgrading Python dependencies in a legacy application with license risk assessment
Rehosting a Java project with Maven dependencies and validating license compatibility
Upgrading Go modules and mapping transitive licenses for copyleft considerations
Generating an SBOM and compliance report for a multi-language project during migration

Frequently Asked Questions

Add this skill to your agents