OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.

Security & License Compliance For Your App's Dependencies 🪱

SW360 project

ScanCode.io is a server to script and automate software composition analysis with pipelines. This project is sponsored by the European Commission, NLnet NGI0, the Google Summer of Code, nexB and others generous sponsors!

Repository to hold the new UI framework for FOSSology built with React

GitHub Action for license compliance: Python, JavaScript, iOS, Android and more.

This repo contains license and copyright analysis results of open source packages. It further contains other license compliance relevant artifacts, which might be of value for others

Chrome/Firefox browser extension to compare text against spdx license list

Rust scanner for ScanCode-compatible workflows, licenses, package metadata, SBOMs, and provenance data.

OSS license watchdog. Monitors GitHub repos you depend on and alerts you when a license changes, explaining exactly what you can no longer do.

🔐⛵ Effortless dependency compliance with your license policies

Deterministically map license strings to their canonical identifiers

Generate open source software notices (OSS Notice) from SBOM documents — SPDX, CycloneDX, Excel → HTML/Text/Markdown/PDF. Offline, type-safe Python core with CLI, local API, and an installable desktop app.

bitbake layer repository for intergrating osselot into the build process

Lucy is a component analysis platform to minimize the risk of license infringements and to support and optimize the license compliance process.

License compliance for Node applications made ultra easy. Provide it a string of licenses or fetch licenses dynamically from an online source.

Toolset that helps you with creating and interacting with SBOMs, enriching with licensing and copyright information, and checking for Open Source license compliance

Fast cross-ecosystem dependency license compatibility checker + Claude Code review skill

Hawkeye Agent is an enterprise-grade, AI-native security guardrail that evaluates open-source packages in milliseconds. It gives you a definitive verdict on license compliance, known vulnerabilities (CVE/CVSS), OpenSSF Scorecard health, and deep transitive dependencies (SBOM).

BomLens — a local-first SBOM generator & open-source risk assessor (CycloneDX). Produce an SBOM, an open-source notice, and a security/license risk report from source code, containers, binaries, firmware, or an SBOM you received. CLI or web UI, no SaaS.