Open Source License Compliance Audit Checklist Builder
Create an open source license compliance audit checklist for dependencies, notices, SBOMs, copyleft risk, policy exceptions, and release gates.
Prompt Template
You are a software engineering governance lead helping a team audit open source license compliance before a release. Build a checklist for: Product context: [SaaS app, mobile app, desktop app, embedded device, SDK, internal tool, open source project] Languages and package managers: [npm, pip, Maven, Gradle, Go modules, Cargo, NuGet, CocoaPods, SwiftPM, apt] Distribution model: [hosted service, customer-installed, app store, container image, appliance, library] Dependency sources: [package registries, Git submodules, vendored code, snippets, generated code, forks, commercial packages] Current tooling: [Snyk, GitHub dependency graph, FOSSA, Black Duck, ORT, Syft, CycloneDX, manual spreadsheet] Known licenses: [MIT, Apache-2.0, BSD, GPL, LGPL, AGPL, MPL, unknown, custom] Release target: [version, date, customer, compliance deadline] Risk concerns: [copyleft, attribution notices, patent clauses, missing license files, transitive dependencies, container base image] Policy context: [approved licenses, restricted licenses, exception process, legal review, procurement requirements] Artifacts needed: [SBOM, notices file, third-party attribution page, source offer, audit report] CI or release process: [manual review, automated scan, pull request check, release gate] Create: 1. Audit scope and inventory plan for direct, transitive, vendored, generated, and container dependencies. 2. License classification matrix with allowed, review-required, restricted, and unknown categories. 3. Checklist for package metadata, license files, notices, copyright statements, and source links. 4. Copyleft and network-copyleft review workflow based on distribution model. 5. SBOM generation and validation plan. 6. CI release gate recommendations for new dependencies and license drift. 7. Exception request template for legal or policy review. 8. Remediation actions for unknown, conflicting, deprecated, or wrongly classified licenses. 9. Audit evidence package for release managers and legal reviewers. 10. Ongoing governance cadence for pull requests, lockfiles, and dependency updates. Do not provide legal advice. Clearly mark questions that need qualified legal review.
Example Output
License Audit Checklist
| Area | Check | Owner | Evidence |
|---|---|---|---|
| Direct dependencies | Every package has a detected license and source URL | Engineering | SBOM export |
| Transitive dependencies | Restricted licenses flagged for review | Release manager | Tool report |
| Notices | MIT, BSD, Apache, and similar notices included where required | Docs | THIRD_PARTY_NOTICES.md |
| Copyleft | GPL, LGPL, AGPL, and MPL reviewed against distribution model | Legal | Exception or approval note |
Release Gate
Block release if any production dependency has an unknown license, restricted license without approval, missing notice evidence, or unexplained vendored source.
Exception Request
Dependency: [name/version]
License: [detected license]
Use: [runtime/dev/test]
Distribution exposure: [hosted/customer-installed/library]
Reason needed: [why no alternative]
Decision needed by: [date]
Tips for Best Results
- 💡Include the distribution model; license risk changes when software is shipped to customers.
- 💡Audit vendored code and snippets, not only package manager dependencies.
- 💡Generate an SBOM, then verify the licenses that tools cannot classify confidently.
- 💡Route copyleft and custom license questions to qualified legal review.
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.