LET'S TALK
← All work
ComplianceOpen SourceSPDXOfflineDeep Prototype

License Hawk — OSS License Compliance

Paste a package.json. Get every dependency's license classified, copyleft and proprietary flagged against your chosen distribution profile (SaaS, OSS, on-prem), a per-class obligations breakdown, and an auto-generated NOTICE file.

License Hawk — OSS License Compliance preview
Open live →

What it is

A license-compliance auditor that takes a package.json (or any SPDX list), classifies every dependency, and tells you which licenses are blocking your chosen distribution model.

What it does

  • Recognizes 36 SPDX licenses across five classes: permissive (MIT, BSD, Apache, ISC, 0BSD, CC0, Unlicense …), weak copyleft (MPL-2.0, EPL-2.0, LGPL-2.1/3.0, CDDL), strong copyleft (GPL-2.0/3.0, AGPL-3.0, OSL-3.0, CC-BY-SA), source-available proprietary (BUSL-1.1, SSPL-1.0, Elastic-2.0, Commons Clause, UNLICENSED), and unknown.
  • Parses SPDX expressions like "MIT OR Apache-2.0" (picks most permissive) and "GPL-2.0 AND Apache-2.0" (picks most restrictive — what you must comply with).
  • Three distribution profiles: closed-source SaaS, open-source MIT/Apache, on-prem distributed binaries. Each has its own block/warn policy.
  • Per-package verdict — BLOCKED / review / ok, sorted by severity so the dangerous ones surface first.
  • Per-class obligations — what permissive actually requires (attribution preservation), what weak copyleft means in practice (file-level disclosure), why AGPL bites SaaS specifically, what BUSL/SSPL/Elastic actually prohibit.
  • NOTICE file generator — auto-builds the attribution file you need to ship with any distribution. Grouped by license, ready to drop in.

Four fixtures pre-loaded: clean SaaS stack, mixed risks, a GPL trap with 15 deps where 4 are blocked under SaaS profile, and a raw SPDX-only list.

Why this matters

License audits are the kind of work that gets deferred until a customer’s procurement team asks for an SBOM. By then it’s three weeks of unpicking transitive dependencies, replacing the ones that GPL-trapped your stack, and explaining to leadership why mariadb-server was a problem nobody saw.

The tool catches the trap at install time. Paste the package.json, see the four red rows, swap the deps before they ship.

How it ships

Single HTML file, ~30KB. Zero dependencies. The license DB, SPDX-expression parser, profile policies, obligations text, and NOTICE generator are 540 lines of vanilla JavaScript. Works air-gapped.

Open the tool →