LicenseCheck - Automated Dependency License Scanning and Compliance Reports

Scan your GitHub repos weekly for dependency license violations (GPL in proprietary code, unlicensed dependencies). Auto-generate compliance reports and alert via Slack when risky licenses are added.

𝕏 Post Reddit HN

Difficulty

beginner

What is it?

Developers add dependencies without checking licenses. A GPL library in a closed-source SaaS is a legal risk. LicenseCheck solves this by automatically scanning a repo's package.json (and lock files) weekly via GitHub webhook, fetching metadata for each dependency from npm or PyPI, classifying licenses (MIT, Apache-2.0, GPL, proprietary, unknown), and flagging violations against a configurable policy (e.g., 'no GPL', 'no copyleft', 'require license file'). It generates a compliance report (CSV, JSON), stores results in Supabase for trending, and sends a Slack alert if new violations are found. Why 100% buildable now: npm and PyPI have stable APIs for package metadata. SPDX (Software Package Data Exchange) has a standardized license database. GitHub webhooks and Actions are mature. No ML or complex logic needed—just API queries and policy matching.

Why now?

Log4j vulnerability (2021) and SolarWinds supply chain attack (2020) elevated license and supply chain awareness. SPDX standard is now widely adopted by package registries. GitHub Actions is mature, making integrations seamless.

▸Automated weekly scan of package.json, yarn.lock, requirements.txt for all dependencies
▸License classification and compliance policy engine (user-configurable: no GPL, no copyleft, etc.)
▸Slack alerts when new violations are detected in a merge or commit
▸Dashboard showing license breakdown by repo, trending over time, and violation history

Target Audience

Engineering teams at mid-market SaaS companies (100-500 engineers). Compliance-conscious startups (YC, funded). TAM: ~8k SaaS companies with 10+ engineers.

Example Use Case

Priya, engineering lead at a $5M ARR fintech SaaS, discovered via an audit that a developer had added a GPL-licensed library to their codebase 6 months ago, creating significant legal exposure. LicenseCheck would have flagged this within 24 hours. She now uses it to scan on every merge and has a policy configured that blocks GPL and AGPL, saving her legal team $20k in remediation time.

User Stories

▸As an engineering lead, I want to automatically scan my repos for GPL dependencies so that I can avoid legal liability in our proprietary product.
▸As a compliance officer, I want a monthly report of all dependencies and their licenses so that I can audit and document our compliance posture.
▸As a developer, I want to be alerted when a risky license is added to a PR so that I can catch it before it merges.

Acceptance Criteria

GitHub Integration: done when user can install app and authorize repos without errors. Weekly Scan: done when cron job pulls package.json and identifies 10+ dependencies from a real repo. License Metadata: done when npm and PyPI queries return license data for 95%+ of dependencies. Policy Engine: done when user defines a rule (e.g., 'block GPL') and violations are caught. Dashboard: done when license pie chart and violation list load in under 2 seconds.

Is it worth building?

$129/month × 35 customers = $4,515 MRR at month 3. $299/month × 15 larger teams = $4,485 MRR. Combined: $9,000 MRR at month 4.

Unit Economics

CAC: $80 via LinkedIn cold outreach. LTV: $1,548 (12 months at $129/month, 70% retention). Payback: 1.2 months. Gross margin: 92%.

Business Model

SaaS subscription: $129/month for up to 5 repos, $299/month for unlimited

Monetization Path

Free tier: 1 repo, monthly scans, email reports. Paid: unlimited repos, weekly scans, Slack alerts, custom policies.

Revenue Timeline

First dollar: month 1 (beta trial conversion). $1k MRR: month 4. $5k MRR: month 9. $10k MRR: month 14.

Estimated Monthly Cost

npm API: free (public registry). PyPI API: free. GitHub API: free (within quota). Supabase: $25. Vercel: $20. Slack: $0 (free API). Stripe fees: ~$20. Sentry: $0 (free). Total: ~$65/month at launch.

Profit Potential

Full-time viable at $5k–$15k MRR.

Scalability

High — can add npm supply chain attack detection, SBOMs (Software Bill of Materials) export for customers, GitHub Actions integration for CI/CD gates.

Success Metrics

Week 2: 15 GitHub app installs from personal outreach. Month 1: 5 active beta users (free). Month 2: 8 paid customers, 60% week-4 retention. Month 4: 20 paid customers.

Launch & Validation Plan

Survey 30 engineering leaders on Twitter/X and LinkedIn about license compliance. Build landing page with example compliance report and risk calculator. Recruit 5 beta testers (different company sizes and languages) for 3-week trial. Measure: repos scanned, violations detected, policy configurations created.

Customer Acquisition Strategy

First customer: DM 20 engineering leads on LinkedIn offering 2 months free in exchange for weekly calls and case study. Second: ProductHunt launch, Reddit r/programming and r/devops, Twitter/X threads on supply chain security, GitHub Marketplace listing, partner with SPDX and Linux Foundation.

What's the competition?

Competition Level

Medium

What's the roadmap?

Feature Roadmap

V1 (week 2): GitHub app, weekly npm/PyPI scans, policy engine, Slack alerts, dashboard. V2 (month 2-3): Real-time scanning on push/PR, SBOM export, multi-language support (Java, Go). V3 (month 4+): Vulnerability scanning integration, license compliance dashboard for execs, GitHub Actions CI/CD gate plugin.

Milestone Plan

Phase 1 (Week 1): Build Next.js scaffold, Supabase schema, GitHub app registration, OAuth flow. Done when: user can install app and repo is authorized. Phase 2 (Week 2): Weekly cron, npm/PyPI registry queries, policy engine, Slack alerts. Done when: cron runs on schedule, violations trigger Slack message. Phase 3 (Month 1): Dashboard, Stripe billing, 5 beta customers on-boarded. Done when: dashboard loads scan results, first paying customer converts.

How do you build it?

Tech Stack

Next.js, GitHub API, npm Registry API, PyPI API, SPDX database, Supabase, Slack API, Stripe — build with Cursor for GitHub integration and policy engine, v0 for dashboard.

Suggested Frameworks

Octokit (@octokit/rest) for GitHub API, node-fetch or native fetch for npm/PyPI registry queries, Vercel Cron Jobs (vercel.json cron config) or GitHub Actions scheduled workflow for weekly scans — node-cron does not work in Vercel serverless environments

Time to Ship

4 weeks

Required Skills

GitHub API, npm/PyPI API integration, policy engine logic, basic SaaS CRUD

Resources

GitHub API docs, npm Registry API, PyPI JSON API, SPDX license list, Octokit docs

MVP Scope

Create: (1) Next.js app with Supabase auth and GitHub OAuth. (2) GitHub app installation flow (allow user to select repos to monitor). (3) Weekly cron job that pulls package.json from GitHub API, parses dependencies. (4) npm and PyPI registry query endpoint to fetch license metadata for each dependency. (5) Policy engine: user defines rules (e.g., 'reject GPL'), scan results matched against rules. (6) Supabase schema: repos, scans, dependencies, violations, policies. (7) Slack webhook integration to send alerts. (8) Simple dashboard in v0 showing license pie chart, violation list, scan history. (9) CSV export of compliance report.

Core User Journey

Install GitHub app -> authorize repos -> wait for first scan -> view license dashboard -> see one violation -> configure policy to block it -> upgrade to paid.

Architecture Pattern

GitHub OAuth -> select repos -> weekly cron triggers -> GitHub API fetches package.json -> npm/PyPI API queries license metadata -> policy engine evaluates rules -> violations stored in Supabase -> Slack webhook fires if violations -> dashboard aggregates trends.

Data Model

User has many Repos. Repo has many Scans. Scan has many Dependencies. Dependency has one License. User has one Policy (rules for which licenses are allowed).

Integration Points

GitHub API for repo and file access, npm Registry API for license metadata, PyPI JSON API for Python packages, Slack API for alerts, Supabase for scan storage, Stripe for billing.

V1 Scope Boundaries

V1 excludes: vulnerability scanning, SBOMs, multi-language support beyond Node and Python, team collaboration, custom license database.

Success Definition

A paying engineering team discovers the product, connects their GitHub repos, receives a weekly scan with compliance report, configures a custom policy, and renews after 30 days.

Challenges

Some libraries have dual licenses or complex licensing (e.g., dual MIT/Apache). Unlicensed packages are common on npm (no published license). Rate limiting on npm and PyPI APIs.

Avoid These Pitfalls

1. Transitive dependency licenses: most legal risk comes from indirect dependencies (e.g., a GPL library 3 levels deep), not direct ones — ensure your scanner resolves lock files (yarn.lock, package-lock.json, poetry.lock), not just top-level manifests. 2. SPDX field unreliability: many npm packages have malformed or missing 'license' fields in package.json; build a fallback that checks the LICENSE file in the repo via GitHub API before marking a package as 'unknown'. 3. Dual-licensed packages: libraries like Elasticsearch (SSPL/Apache dual) require business logic to classify correctly — do not blindly trust the first SPDX string returned. 4. GitHub App permission scope creep: request only 'contents: read' for private repos; requesting broader permissions will kill enterprise install conversion. 5. Rate limits are real: npm registry has no auth requirement but will throttle aggressive parallel fetches — implement a p-limit concurrency cap (max 10 concurrent requests) to avoid 429s during large monorepo scans. 6. False negatives from bundled dependencies: packages that vendor their dependencies (common in Go and some npm packages) won't show up in package.json at all — set clear V1 scope boundaries so customers don't blame you for missed vendored libs.

Security Requirements

Auth: GitHub OAuth via Octokit. RLS enabled on all user tables. Rate limiting: 20 req/min per user to avoid registry API burnout. Input validation: repo URLs validated before querying. GDPR: user can request deletion of all scan data.

Infrastructure Plan

Hosting: Vercel. Database: Supabase Postgres. Cron: Vercel Functions. Monitoring: Sentry. CI/CD: GitHub Actions. Environments: dev, staging, prod. Cost: Vercel $20, Supabase $25, Sentry $0 (free), Total: $45/month.

Performance Targets

Expected DAU at launch: 20. Weekly cron: scans 5 repos in under 2 minutes (10+ dependencies each). API query time: fetch license for 50 dependencies in under 5 seconds (parallelized). Dashboard load: under 2s (LCP).

Go-Live Checklist

☐✓ GitHub app installation tested with 3 test repos
☐✓ npm registry API queries tested on 30 packages, license extraction works
☐✓ PyPI API queries tested on 10 packages
☐✓ Policy engine tested: custom rules block GPL successfully
☐✓ Weekly cron tested in staging for 2 weeks
☐✓ Slack alert tested end-to-end (message arrives on violation)
☐✓ Stripe billing tested
☐✓ Dashboard renders with real scan data
☐✓ Error tracking live
☐✓ Custom domain configured
☐✓ Privacy policy and terms published
☐✓ 5 beta testers signed off
☐✓ Rollback plan documented
☐✓ ProductHunt and GitHub Marketplace launch posts drafted.

How to build it, step by step

1. Bootstrap app: npx create-next-app@latest licensecheck --typescript --app, then npm install @supabase/supabase-js @octokit/rest @octokit/webhooks stripe p-limit. 2. Supabase schema: create tables — users (id, github_id, email), repos (id, user_id, github_repo_id, full_name, enabled), scans (id, repo_id, scanned_at, status), dependencies (id, scan_id, name, version, ecosystem, spdx_license, is_direct), violations (id, scan_id, dependency_id, rule_triggered), policies (id, user_id, blocked_licenses text[], require_license bool). Enable RLS on all tables. 3. GitHub OAuth: configure Supabase Auth with GitHub provider, request scopes 'read:user repo'. On callback, store github_access_token in users table (encrypted). 4. Register GitHub App at github.com/settings/apps — set webhook URL to /api/github/webhook, request permissions: Contents (read), Metadata (read). Generate and store GITHUB_APP_PRIVATE_KEY and GITHUB_APP_ID in env. 5. GitHub App installation endpoint: build /api/github/install — on installation webhook event, use Octokit with app auth to list repos, upsert into repos table with installation_id. 6. Lock file parser: build /lib/parsers/npm.ts that reads package-lock.json from GitHub API (GET /repos/{owner}/{repo}/contents/package-lock.json), parses dependencies object, extracts name+version+resolved. Build /lib/parsers/python.ts for poetry.lock and requirements.txt. Mark direct vs. transitive dependencies. 7. Registry license fetcher: build /lib/registry/npm.ts — fetch https://registry.npmjs.org/{package}/{version}, extract .license field (SPDX string). If missing, fallback to fetching the package's GitHub repo URL and checking LICENSE file via raw.githubusercontent.com. Build /lib/registry/pypi.ts — fetch https://pypi.org/pypi/{package}/{version}/json, extract info.license. Use p-limit(10) to parallelize with max 10 concurrent requests. 8. SPDX classifier: build /lib/spdx.ts that maps raw license strings to canonical SPDX identifiers using the spdx-correct npm package (real package: npm install spdx-correct spdx-expression-parse). Classify into risk tiers: PERMISSIVE (MIT, Apache-2.0, BSD-*), WEAK_COPYLEFT (LGPL-*), STRONG_COPYLEFT (GPL-*, AGPL-*), PROPRIETARY, UNKNOWN. 9. Policy engine: build /lib/policy.ts — load user's policy from Supabase, iterate dependencies, flag violations where dependency.risk_tier is in policy.blocked_licenses or dependency.spdx_license is UNKNOWN and policy.require_license is true. Write violations to violations table. 10. Weekly cron via Vercel: add to vercel.json: {"crons": [{"path": "/api/jobs/weekly-scan", "schedule": "0 9 * * 1"}]}. In /api/jobs/weekly-scan, query all enabled repos, run the parse -> fetch -> classify -> policy-check pipeline for each, store scan results. 11. Slack alert: on violations detected, POST to user's configured Slack webhook URL using Slack Block Kit — include repo name, violation count, and a link to the dashboard. Build Slack connection UI in settings page (user pastes incoming webhook URL). 12. Dashboard: build /app/dashboard using Recharts (npm install recharts) for a pie chart of license distribution. Fetch scan history and violations from Supabase via server component. Add CSV export endpoint /api/export/scan/[scanId] that streams a CSV of all dependencies + licenses. 13. Stripe billing: create two products in Stripe dashboard ($129/mo Starter, $299/mo Pro). Build /api/billing/checkout (create Stripe Checkout session) and /api/billing/webhook (handle checkout.session.completed to set user.plan in Supabase). Gate weekly scan frequency and repo count by plan. 14. Deploy: push to GitHub, connect to Vercel, set all env vars (GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY, SUPABASE_URL, SUPABASE_SERVICE_KEY, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET). Verify Vercel cron appears in dashboard under Settings > Cron Jobs.

Generated

March 30, 2026

Model

claude-haiku-4-5-20251001 · reviewed by Claude Sonnet

← Back to All Ideas