OBLIGATIONS . EVIDENCE
Open Source License Compliance Assessment
An open source license compliance assessment maps every dependency you run, records the obligations attached to each one, and checks your practice against them. You leave with a defensible record of what you run, under which terms, and since when, ready for a vendor, an auditor, or a deal.
Open source compliance fails quietly. Attribution that was never collected, a copyleft component that crept into a shipped product, a source available dependency mistaken for permissive, a network use clause that triggered an obligation no one tracked. None of these are visible until a vendor letter, an audit, or a deal forces the question. An open source license compliance assessment surfaces those gaps on your own timeline, while they are still cheap to close.
What the open source license compliance assessment checks
We resolve your full dependency tree, direct and transitive, and attach the obligations carried by each license. Permissive licenses usually require attribution and notice. Copyleft licenses can require source disclosure, and the GNU AGPL extends that to software offered over a network. Source available licenses such as the Business Source License and the Server Side Public License are not open source and carry competitive use limits or far reaching service obligations. We name which obligations apply to your distribution and service patterns, and which do not.
We then check your current practice against those obligations. Where attribution is missing, we say so. Where a copyleft reach is wider than your release process assumes, we flag it. Where a relicensed component such as Terraform, Redis, or Elasticsearch now sits under terms you have not accounted for, we record what changed and when. The output is a clear gap list, ranked by exposure, not a generic checklist.
A record you can defend
The deliverable is built to stand up to scrutiny. When a vendor or an auditor asks what you run and under which terms, an open ended inquiry becomes a bounded, answerable question because the evidence already exists. The same record speeds a deal, where a buyer or seller needs a credible view of open source obligations fast. For the broader exposure picture, pair this with the open source license risk assessment, and to keep the record current, the open source governance and policy service. The wider context sits on the open source license risk pillar.
Independent and buyer side
We take no vendor fees and resell no software. The compliance assessment reflects your obligations and your risk, not a sale. That independence is the reason the record is credible to the people who will read it, and the reason we will tell you plainly where you are already compliant and need do nothing.
COMMON QUESTIONS
Questions buyers ask.
What is an open source license compliance assessment?
An open source license compliance assessment maps every dependency you run, records the license obligations attached to each one, and checks your current practice against them. It produces a defensible record of what you run, under which terms, and since when, ready for a vendor, an auditor, or a deal.
How is compliance different from a risk assessment?
A risk assessment ranks where exposure sits and what it costs. A compliance assessment focuses on obligations: attribution, source disclosure, copyleft reach, and competitive use limits. The two overlap and are often run together, with the risk view setting priorities and the compliance view confirming you meet each obligation.
Do you check copyleft and AGPL obligations?
Yes. We trace copyleft reach, including the network use clause in the GNU AGPL, and flag where distribution or service patterns trigger source disclosure. We also flag source available licenses such as the Business Source License and the Server Side Public License, which are not open source and carry their own restrictions.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. We map obligations and check practice against them. For interpretation of license terms and your compliance position, we recommend you engage your own counsel.
CONTAINMENT
Build a record you can defend.
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Independent, confidential, buyer side. See how buyers contained their exposure →