ASSESSMENT
An open source license audit service that ranks your exposure, not just your components.
Our open source license audit service maps every open source dependency you run and the current license state of each one, direct and transitive. You receive a ranked, defensible picture of what governs your software, including the components that have quietly changed terms since you adopted them.
An open source license audit service answers a question most teams cannot answer on demand: what licenses govern the software we run today, and where has that changed. A list of packages is not enough. The license state of a component can move under you, and a scanner that ran last quarter will not have caught it. The audit confirms the current state of each dependency and reads it in the context of how you deploy.
What the audit covers
- A full dependency tree, direct and transitive, across the repositories and services in scope.
- The current license state of every node, with relicensed components flagged.
- Risk ranked findings, so attention follows exposure.
- A clear path to contain each material finding.
Why license state changes catch teams out
A component adopted under a permissive license can later move to source available terms. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad and Packer to the Business Source License. Redis moved to a model that includes the Server Side Public License as of March 2024. Elasticsearch and Kibana moved in 2021. None of these changes rewrites the copy already in your build. They change the terms that apply the next time you upgrade, redistribute, or deploy competitively. The audit surfaces exactly those situations.
Source available is not open source
The Server Side Public License and the Business Source License are not approved by the Open Source Initiative. Treating them as ordinary open source is how exposure accumulates. The audit names each license family plainly and explains what it restricts, so the picture you hand to your board reflects reality.
From audit to action
The audit is the foundation. From there, a relicensing exposure review sizes the cost of any changes it finds, and a containment plan reroutes to safe alternatives or negotiated terms. For the full method, read the open source license risk guide, or start a confidential open source license risk assessment with us. You can also review the full list of advisory services.
We work only from the buyer side. We do not resell software, we take no vendor fees, and we are paid only by you. That is why the audit names risk plainly rather than softening it.
COMMON QUESTIONS
Questions buyers ask.
What does an open source license audit service do?
An open source license audit service maps every open source dependency you run, direct and transitive, records the current license state of each one, and ranks the exposure. The result is a defensible picture of what governs your software, including components that quietly changed terms.
How is an audit different from a scanner report?
A scanner lists components. An open source license audit service reads them in context, confirms the current license state, flags relicensed dependencies such as those now under the Business Source License or the Server Side Public License, and tells you which findings carry real production risk.
Will the audit tell us what to fix first?
Yes. Findings are ranked by exposure, so the first action retires the largest risk. Each item carries a path to contain it, whether that is a fork, a removal, or a negotiated commercial license.
Is the open source license audit service legal advice?
No. It is commercial and licensing risk advisory, not legal advice. For interpretation of license terms and compliance we recommend your own counsel.
ASSESSMENT
Know what governs your software, today.
A confidential open source license audit service. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Independent, confidential, buyer side. See how buyers contained their exposure →