Back to docs
Recipe

OSS license audit summarizer

Scan a repository's dependency tree and produce a one-page compliance summary grouped by license risk tier.

Goal

Given a repo URL, walk its package manifest, resolve transitive dependencies, classify each license into green / yellow / red tiers, and emit a markdown report suitable for legal review.

Input schema

{
  "repo_url": "https://github.com/org/project",
  "manifest_path": "package.json",
  "max_depth": 5,
  "fail_on": ["GPL-3.0", "AGPL-3.0"]
}

Risk tiers

  • green — MIT, Apache-2.0, BSD-2/3-Clause, ISC, Unlicense
  • yellow — LGPL-2.1, MPL-2.0, EPL-1.0, CC-BY-4.0
  • red — GPL-3.0, AGPL-3.0, SSPL, BUSL-1.1

Output shape

## License Audit — org/project

### Red (blocking)
| Package | Version | License |
|---------|---------|---------|
| leftpad | 1.3.0   | GPL-3.0 |

### Yellow (review)
| Package | Version | License |
|---------|---------|---------|
| libxml  | 2.11.5  | MPL-2.0 |

### Green (cleared)
| Package | Version | License |
|---------|---------|---------|
| react   | 18.2.0  | MIT     |

### Summary
- Total deps: 247
- Red: 1, Yellow: 3, Green: 243
- Blocked by: leftpad (GPL-3.0)

Implementation notes

  • Use npm-license-crawler or equivalent for resolution
  • Cache results keyed by repo + commit SHA
  • Exit code 1 when any fail_on license is present
  • Strip dual-license markers; classify by most restrictive

This recipe ships as a standalone CLI tool. For CI integration, pipe the JSON output to your compliance pipeline.