Open Source License Compliance Audit Checklist Builder

Create an open source license compliance audit checklist for dependencies, notices, SBOMs, copyleft risk, policy exceptions, and release gates.

Prompt Template

You are a software engineering governance lead helping a team audit open source license compliance before a release. Build a checklist for:

Product context: [SaaS app, mobile app, desktop app, embedded device, SDK, internal tool, open source project]
Languages and package managers: [npm, pip, Maven, Gradle, Go modules, Cargo, NuGet, CocoaPods, SwiftPM, apt]
Distribution model: [hosted service, customer-installed, app store, container image, appliance, library]
Dependency sources: [package registries, Git submodules, vendored code, snippets, generated code, forks, commercial packages]
Current tooling: [Snyk, GitHub dependency graph, FOSSA, Black Duck, ORT, Syft, CycloneDX, manual spreadsheet]
Known licenses: [MIT, Apache-2.0, BSD, GPL, LGPL, AGPL, MPL, unknown, custom]
Release target: [version, date, customer, compliance deadline]
Risk concerns: [copyleft, attribution notices, patent clauses, missing license files, transitive dependencies, container base image]
Policy context: [approved licenses, restricted licenses, exception process, legal review, procurement requirements]
Artifacts needed: [SBOM, notices file, third-party attribution page, source offer, audit report]
CI or release process: [manual review, automated scan, pull request check, release gate]

Create:
1. Audit scope and inventory plan for direct, transitive, vendored, generated, and container dependencies.
2. License classification matrix with allowed, review-required, restricted, and unknown categories.
3. Checklist for package metadata, license files, notices, copyright statements, and source links.
4. Copyleft and network-copyleft review workflow based on distribution model.
5. SBOM generation and validation plan.
6. CI release gate recommendations for new dependencies and license drift.
7. Exception request template for legal or policy review.
8. Remediation actions for unknown, conflicting, deprecated, or wrongly classified licenses.
9. Audit evidence package for release managers and legal reviewers.
10. Ongoing governance cadence for pull requests, lockfiles, and dependency updates.

Do not provide legal advice. Clearly mark questions that need qualified legal review.

Example Output

License Audit Checklist

| Area | Check | Owner | Evidence |

|---|---|---|---|

| Direct dependencies | Every package has a detected license and source URL | Engineering | SBOM export |

| Transitive dependencies | Restricted licenses flagged for review | Release manager | Tool report |

| Notices | MIT, BSD, Apache, and similar notices included where required | Docs | THIRD_PARTY_NOTICES.md |

| Copyleft | GPL, LGPL, AGPL, and MPL reviewed against distribution model | Legal | Exception or approval note |

Release Gate

Block release if any production dependency has an unknown license, restricted license without approval, missing notice evidence, or unexplained vendored source.

Exception Request

Dependency: [name/version]

License: [detected license]

Use: [runtime/dev/test]

Distribution exposure: [hosted/customer-installed/library]

Reason needed: [why no alternative]

Decision needed by: [date]

Tips for Best Results

  • 💡Include the distribution model; license risk changes when software is shipped to customers.
  • 💡Audit vendored code and snippets, not only package manager dependencies.
  • 💡Generate an SBOM, then verify the licenses that tools cannot classify confidently.
  • 💡Route copyleft and custom license questions to qualified legal review.