Open Source Compliance for Corporate Teams 2026
Open Source Compliance for Corporate Teams 2026
Open source license compliance was once a niche concern for legal teams at large software companies. In 2026, it is a baseline expectation for any company that ships software — enforced by executive orders, EU regulation, and M&A due diligence processes.
TL;DR
- US and EU regulations now mandate SBOMs (Software Bills of Materials) for software sold to government buyers and, under the EU CRA, for commercial products broadly
- License risk falls into three categories: Category A (permissive, generally safe), Category B (weak copyleft, needs review), Category C (strong copyleft, requires policy decision)
- FOSSA, OSS Review Toolkit, and Black Duck are the leading enterprise scanning tools; open source alternatives (SPDX tools, Licensee) exist for smaller budgets
- Common compliance failures are preventable with a simple pre-dependency-addition checklist enforced in CI/CD
- CLAs and DCOs are different legal instruments that grant different rights — understanding the distinction matters before your engineers sign them
Key Takeaways
- Integrate automated license scanning into your CI/CD pipeline before you have a compliance problem — reactive compliance is 10x more expensive than proactive compliance
- Build a three-tier license policy (A/B/C) and enforce it at pull request time, not at annual audit time
- SBOM generation should be automatic and part of every production release artifact
- The EU Cyber Resilience Act creates compliance obligations for software sold in EU markets beginning 2026 — this is not theoretical future risk
- M&A due diligence now routinely includes license audits; undisclosed GPL code in a commercial product is a valuation risk
Why Compliance Matters More in 2026
Open source license compliance has always been important in theory. In 2026, it became important in practice — enforced by government procurement requirements, new EU legislation, and increasingly sophisticated M&A due diligence.
US Executive Order 14028 (Improving the Nation's Cybersecurity, May 2021) included a mandate requiring software vendors selling to the US federal government to provide a Software Bill of Materials for their products. This requirement was formalized in NIST guidance and incorporated into federal procurement contracts through 2023 and 2024. By 2025, any company with federal contracts was expected to produce SBOMs on demand. In 2026, major defense contractors and civilian agency vendors treat SBOM production as a standard deliverable, not a special request.
The EU Cyber Resilience Act (CRA) is the more sweeping change for companies operating in European markets. The CRA, which entered into force in December 2024 with enforcement provisions phasing in through 2026 and 2027, requires manufacturers of "products with digital elements" — software, firmware, hardware with software components — to meet cybersecurity requirements including component documentation. Open source components used in commercial products fall under CRA scope in many cases. Non-compliance carries fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.
M&A due diligence has become a significant driver of compliance investment for growth-stage companies. Private equity firms and strategic acquirers now routinely commission license audits during the due diligence phase of acquisitions. Discovering undisclosed GPL code in a product's codebase — particularly AGPL code in a SaaS product where the copyleft obligations were never honored — can reduce deal valuation, require expensive remediation before closing, or kill the deal entirely. Several high-profile acquisitions have been complicated or repriced due to OSS compliance findings in the past two years.
Insurance and liability. Cyber insurance policies increasingly ask about software composition practices, including whether companies track open source dependencies and manage known CVEs. Inadequate answers can affect coverage eligibility or premiums.
The cumulative effect is that license compliance has moved from "engineering best practice" to "business requirement with legal and financial consequences." Teams that built their compliance posture before these requirements arrived are in a much stronger position than those trying to retrofit it under pressure.
For context on how EU digital sovereignty regulations intersect with open source adoption more broadly, see our analysis at /blog/eu-digital-sovereignty-laws-driving-oss-adoption.
License Risk Categories
The foundation of any OSS compliance program is a clear classification system for licenses. The three-tier model (Category A/B/C) is the most widely used and is recommended by the Linux Foundation's FOSS Policy Template and the OpenChain standard.
Category A: Permissive licenses — generally enterprise-safe. These licenses allow use, modification, and redistribution (including in commercial products) with minimal requirements. The primary obligations are typically attribution: including a copyright notice and the license text in distributions.
- MIT License
- Apache License 2.0 (with patent grant provisions that provide additional protection)
- BSD 2-Clause ("Simplified" BSD)
- BSD 3-Clause ("New" or "Revised" BSD)
- ISC License
- Unlicense (effectively public domain)
- Boost Software License 1.0
For the vast majority of enterprise use cases, Category A licenses can be approved automatically by policy without individual legal review.
Category B: Weak copyleft licenses — requires engineering and legal review. These licenses have copyleft provisions but limit them in scope — either to modifications of the licensed file itself (MPL) or to the specific library as a linked component (LGPL). Understanding whether your usage triggers the copyleft provisions requires knowing how you integrate the dependency.
- GNU Lesser General Public License v2.1 and v3 (LGPL): Copyleft applies to the LGPL library itself, but not to code that links against it, provided users can relink against modified versions. Dynamic linking is generally safe; static linking may trigger obligations.
- Mozilla Public License 2.0 (MPL): File-scoped copyleft. Modified MPL files must be released as MPL, but they can be combined with proprietary code in the same project.
- Eclipse Public License 2.0 (EPL): Similar to MPL but with some differences in terms.
- Common Development and Distribution License 1.0 (CDDL): File-scoped copyleft, common in Oracle-originated open source.
- European Union Public License 1.2 (EUPL): Compatible with several other copyleft licenses; requires review for cross-license compatibility.
Category B dependencies should require documentation of the integration method (linked? static? dynamic? modified?) and sign-off from the engineering lead before being added to production code.
Category C: Strong copyleft licenses — requires policy decision and often legal opinion. These licenses extend copyleft beyond the component itself to any software distributed with it, or (in AGPL's case) to software offered over a network.
- GNU General Public License v2.0 and v3.0 (GPL): Modifications and derivative works must be released under GPL. For internal use only, this is generally manageable. For distributed software, it creates significant obligations.
- GNU Affero General Public License v3.0 (AGPL): Like GPL, but the "distribution" trigger extends to providing the software as a network service. A SaaS product built on an AGPL library must release its source under AGPL, even if no binary is distributed. This is the license most commonly implicated in compliance failures at SaaS companies.
- Server Side Public License (SSPL): Originally created by MongoDB, not recognized as open source by the OSI. Behaves similarly to AGPL but with much broader scope — any software used to offer the SSPL-licensed component as a service must be released. Even more restrictive than AGPL.
- Business Source License (BSL/BUSL): Not open source. Time-limited commercial restriction — typically converts to open source (usually Apache 2.0) after 4 years. Used by HashiCorp (Terraform), CockroachDB, and others. Cannot be used in competing products during the restriction period.
Category C dependencies require VP-level or legal approval, a documented use case, and a determination of whether the AGPL or GPL obligations are compatible with the product's distribution model. In most cases for SaaS companies, AGPL dependencies either need to be replaced or a commercial license purchased from the vendor.
For a deeper analysis of how AGPL is strategically used by open source vendors and what it means for companies evaluating those tools, see /blog/agpl-license-debate-why-oss-companies-choosing-it.
SBOM: What It Is and How to Generate One
A Software Bill of Materials is a machine-readable inventory of every software component in a product or service — including open source libraries, their versions, their licenses, and their known vulnerabilities. Think of it as a nutritional label for software: a standardized format that makes it possible to understand what a software product contains.
Why SBOMs matter. When a critical vulnerability is discovered in a widely-used component (Log4Shell in December 2021 is the canonical example), organizations with SBOMs can immediately answer "do we use log4j, and in which products?" without manual investigation. Organizations without SBOMs spend days or weeks doing that research while the vulnerability window is open. SBOMs are also the foundation for automated vulnerability management — you cannot track CVEs in components you don't know you have.
SBOM formats. Two formats have emerged as standards:
- SPDX (Software Package Data Exchange): Maintained by the Linux Foundation, recognized by ISO as ISO/IEC 5962:2021. Supports multiple encodings (tag-value, JSON, YAML, RDF). Strong in the open source ecosystem and US government context.
- CycloneDX: Maintained by OWASP. JSON and XML encodings. Strong tooling ecosystem, particularly for security-focused use cases. The CRA and many security scanning tools prefer CycloneDX.
Both formats capture component names, versions, licenses, checksums, and supply chain relationships. A mature SBOM program generates both formats to maximize compatibility.
Generating SBOMs automatically. Every major build ecosystem has tooling for SBOM generation:
| Ecosystem | Tool | Format | Notes |
|---|---|---|---|
| Containers | syft | CycloneDX, SPDX | Scans Docker images |
| Node.js | cyclonedx-npm | CycloneDX | npm and yarn lockfiles |
| Python | cyclonedx-py | CycloneDX | pip, requirements.txt |
| Java/Maven | cyclonedx-maven-plugin | CycloneDX | Maven dependencies |
| Go | cyclonedx-gomod | CycloneDX | go.mod |
| .NET | CycloneDX.BOM | CycloneDX | NuGet packages |
| Multi-language | trivy, grype | Multiple | Container and filesystem scanning |
Add SBOM generation to your CI/CD pipeline as a step that runs on every merge to main and on every release tag. Publish the SBOM alongside release artifacts in your artifact registry or release page.
SBOM attestation. For government and regulated-industry buyers, an SBOM is most valuable when it is attested — cryptographically signed to prove it came from your build system and hasn't been tampered with. The SLSA (Supply-chain Levels for Software Artifacts) framework provides a framework for provenance attestation. Sigstore's cosign tool is the most widely used open source implementation for signing container images and SBOMs.
License Scanning Tools
Automated license scanning is the operational foundation of an OSS compliance program. Manual dependency audits don't scale and miss transitive dependencies, which often account for the majority of compliance risk in modern software.
FOSSA is the leading commercial enterprise license scanner. It integrates with GitHub, GitLab, Bitbucket, Jira, and most CI/CD systems. FOSSA scans direct and transitive dependencies, identifies licenses, flags policy violations, and generates SBOMs. It also provides remediation guidance: when a dependency violates policy, FOSSA suggests alternatives. Pricing is subscription-based, typically $25,000-100,000/year for enterprise contracts depending on scale. Best choice for companies that need managed compliance workflows, legal-grade reports, and dedicated support.
OSS Review Toolkit (ORT) is an open source license scanner maintained by the HERE Technologies (formerly HERE Maps) team and used by major companies including BMW, Bosch, and Deutsche Telekom. ORT is comprehensive — it handles dependency resolution, license detection, vulnerability scanning, and report generation — but it requires significant engineering effort to configure and maintain. It is effectively free (Apache 2.0 licensed) but has meaningful operational overhead. Best for organizations with dedicated compliance engineers who want full control over the tooling.
Black Duck (Synopsys) is the incumbent enterprise solution with the longest track record. It has the most comprehensive knowledge base (especially for binary scanning — useful when source code is unavailable) and deep integrations with enterprise toolchains. Pricing is high ($50,000-200,000+/year for enterprise), which limits adoption to large organizations. Best for highly regulated industries where the comprehensive binary scanning capability and audit-grade reporting justify the cost.
SPDX Tools is the reference implementation for working with SPDX documents, maintained by the Linux Foundation. It validates, converts, and merges SPDX files but is not a full scanning solution — it processes SPDX documents you've already generated rather than discovering dependencies. Free and open source.
Licensee is a lightweight open source tool (MIT licensed, maintained by GitHub) that identifies licenses from files in a repository. It's excellent for a specific use case: quickly checking the license of an OSS project you're considering adopting. Not suitable as a comprehensive compliance scanner for production codebases.
Trivy (by Aqua Security, Apache 2.0) is primarily a security scanner but now includes license scanning capabilities. It can scan container images, filesystems, and Git repositories for both vulnerabilities and license compliance issues. Free, actively maintained, and excellent for teams that want combined security and license scanning in a single tool.
| Scale | Recommended Tool | Estimated Annual Cost |
|---|---|---|
| Startup (<50 engineers) | Trivy + Licensee | $0 (open source) |
| Growth (50-200 engineers) | FOSSA Team or ORT | $5,000-25,000 |
| Enterprise (200+ engineers) | FOSSA Enterprise or Black Duck | $25,000-100,000+ |
Building a Corporate OSS Policy
A corporate OSS policy is the document that answers: "What open source can we use, how do we evaluate it, and what are the rules for contributing?" A good policy is short enough that engineers actually read it, specific enough to guide real decisions, and enforced through tooling rather than honor system.
What to include. A minimum viable OSS policy has five sections: (1) License classification (the A/B/C tiers described above), (2) Approval workflow (who approves what tier, at what stage of the development process), (3) Contribution policy (what external contributions employees may make and under what conditions), (4) Security policy (CVE triage SLAs, patching requirements), and (5) Escalation path (who to contact for edge cases, exceptions, and compliance findings).
Enforcement in CI/CD. A policy that exists only as a PDF is not a policy — it is documentation of good intentions. Effective compliance requires automated enforcement at the point where dependencies are added. Configure your license scanner to fail CI on Category C licenses that haven't been pre-approved, and warn on Category B. This creates a frictionless experience for compliant dependencies and a natural checkpoint for review of potentially problematic ones.
Approval workflow. For a Category C dependency, the workflow should be: engineer requests approval via a ticket or form → automated scanner confirms the license category → engineering lead reviews the use case → legal reviews if distribution is involved → approval or rejection with documented reasoning → policy exception list updated. The goal is to make the workflow fast enough that engineers use it rather than work around it. A 48-hour turnaround for non-trivial cases is a reasonable target.
Policy refresh cadence. License situations change. Projects relicense (Redis changed from BSD to RSALv2 in 2024, HashiCorp changed Terraform from MPL to BSL in 2023). Companies are acquired. New case law emerges. Review and update your OSS policy at least annually, and specifically after any significant license change in your major dependencies.
Common Compliance Failures
The same compliance failures appear repeatedly in audits and M&A reviews. Understanding them in advance makes them easy to prevent.
License notices missing from distributions. Even permissive licenses (MIT, Apache 2.0, BSD) require attribution — typically including the copyright notice and license text in your distribution. Many teams fulfill this requirement incompletely. Apache 2.0 in particular requires preserving NOTICE files if the upstream project includes them. Tools like license-checker and FOSSA's notice file generation automate this requirement reliably.
AGPL obligations not met. A SaaS company uses an AGPL library in its backend. The AGPL requires that users of the service (anyone who interacts with the software over a network) can receive the source code, including any modifications. Most companies in this situation either don't know about the obligation or know about it and have not implemented the required source disclosure mechanism. This is the most common compliance failure in SaaS companies discovered during M&A due diligence.
GPL code in a distributed proprietary product. An engineer adds a GPL utility library to a product that is distributed as a binary to customers. The GPL requires that the source code — including the modifications and the code that links against the GPL library — be made available to recipients. If this wasn't the company's intention, the fix is either replacing the GPL dependency with a permissively-licensed alternative or obtaining a commercial license from the vendor.
Copyright headers removed or modified. When engineers copy utility functions from Stack Overflow or GitHub, they sometimes remove or fail to transfer the associated copyright notices. This is a technical violation of the source license even when the license is permissive.
Untracked vendored dependencies. Some codebases include vendored copies of open source libraries — committed directly into the repository rather than managed through a package manager. Vendored dependencies are often missed by automated scanners that rely on lockfiles. A file-level scan (as opposed to a manifest-level scan) is required to catch these.
The Developer's Compliance Checklist
Before adding any new open source dependency to a production codebase, engineers should answer these questions. This checklist should be embedded in your contribution guidelines and linked from pull request templates.
1. What license does this package use? Check the LICENSE file in the repository, not just the package registry listing (they sometimes differ). Identify the specific license version (GPL-2.0 vs. GPL-3.0 matters).
2. What category does the license fall into? Map it to your A/B/C classification. If it's A, proceed. If it's B, document the integration pattern. If it's C, initiate the approval workflow before merging.
3. Is the project actively maintained? Check the date of the most recent commit, the issue response time, and the number of active maintainers. A dependency abandoned by its maintainer becomes a security liability.
4. Are there known CVEs in this version? Run the package through your SCA tool before the pull request is opened. Don't merge a dependency with a critical CVE just because it's convenient.
5. Is there a maintained lockfile entry? Pin to a specific version, not a range. Floating versions (^2.0.0) create situations where a compromised minor version can be silently introduced.
6. Do the transitive dependencies comply with policy? Direct dependencies are easy to check. Transitive dependencies — the dependencies of your dependencies — are where compliance issues most often hide. Your automated scanner should handle this, but verify that it ran.
Vendor Due Diligence: Evaluating OSS in Products You're Acquiring
When your company acquires another company or evaluates a vendor's product, open source compliance in their codebase becomes your liability after the deal closes.
Request a current SBOM from any software vendor you are evaluating. Run it through your own scanning pipeline to identify license categories and CVE exposure. If they cannot produce an SBOM, that is itself a risk signal that their software development practices are not mature.
For M&A targets, commission an independent software composition analysis as part of technical due diligence. Specialized firms (FOSSA offers this as a service, as do several IP law firms with technology practices) can complete a scan and produce a legal-grade report within 2-4 weeks. The cost is $15,000-50,000 depending on codebase size — trivial compared to the risk of discovering undisclosed GPL obligations after a $50M acquisition closes.
Red flags in an OSS compliance audit include: large volumes of Category C dependencies with no evidence of license management, AGPL dependencies in a SaaS product with no source disclosure mechanism, vendored dependencies not tracked in any dependency manifest, and no formal license policy or scanning process documented anywhere in the engineering organization.
When compliance and data privacy obligations intersect — which is increasingly common in the EU regulatory environment — see our guide on data privacy, open source, GDPR, and CCPA for the regulatory specifics.
Remediation: What to Do When You Find a Compliance Issue
Discovering a compliance issue is uncomfortable, but the response determines whether it becomes a serious legal problem or a manageable technical task.
Step 1: Categorize the severity. A missing copyright notice in a test utility is different from an AGPL library in your commercial SaaS product. Prioritize based on: Is software distributed to external users? Is the obligation ongoing (AGPL source disclosure) or historical (missing notices)? Is the violation in code that is actively in production?
Step 2: Stop the bleeding. Freeze new additions of the problematic dependency type pending the resolution. Don't compound the problem while you're fixing the existing one.
Step 3: Choose a remediation path. Three options exist for most compliance issues: (a) fulfill the obligation — add missing notices, publish source code as required by AGPL, provide the required attribution; (b) replace the dependency — remove the non-compliant component and substitute a permissively-licensed alternative; (c) obtain a commercial license — many Category C license vendors (Grafana, Mattermost, GitLab) offer commercial licenses that remove the copyleft obligations. Commercial licenses are often the right answer for mature products where re-engineering would be expensive.
Step 4: Document the remediation. Create a record of the finding, the decision made, and the remediation taken. This documentation matters for future audits and M&A due diligence — showing that you found and addressed an issue is much better than being found to have an unaddressed issue.
Step 5: Update the policy to prevent recurrence. Every compliance failure is evidence of a gap in the automated prevention layer. Add a rule to your CI/CD scanner, update the developer checklist, or add the specific license to your Category C blocklist in your tooling configuration.
The CLA (Contributor License Agreement)
When your engineers contribute to external open source projects — or when your company accepts contributions to your own open source projects — CLAs define the intellectual property relationship.
A Contributor License Agreement is a legal document in which the contributor grants the project (or its foundation or company) certain rights to use the contribution. The specific rights granted vary by CLA, but typically include: the right to use the contribution under the project's license, sometimes the right to relicense the contribution under other licenses, and representations that the contributor has the right to make the contribution (i.e., it is original work, not copied from someone else's code).
Why projects require CLAs. CLAs enable projects to relicense if needed (important for projects considering a move from MIT to Apache 2.0 or vice versa), defend against copyright claims (the contributor has affirmed they own the work), and clarify the IP situation for enterprise adoption. The Apache Software Foundation's Individual CLA and Corporate CLA are the most widely used templates. GitHub and GitLab now support automated CLA signing workflows through their platforms — contributors are prompted to sign when they open a pull request if they haven't signed previously.
What to check before signing. The key question is whether the CLA grants the right to relicense. Some CLAs grant only the right to use the contribution under the current project license. Others grant broad relicensing rights — meaning your contribution could end up in a proprietary version of the project under a different license. If the CLA includes broad relicensing rights, have legal review the specific terms before engineers sign on behalf of the company. This is especially important for significant contributions or strategic open source projects.
Developer Certificate of Origin (DCO). The DCO is a lighter-weight alternative used by many projects, most notably the Linux kernel. The DCO requires contributors to add a Signed-off-by line to their commits, confirming that they have the right to submit the code under the project's license. Unlike a CLA, it does not grant additional rights beyond the project's existing license terms, which makes it simpler to implement as a company policy. Most companies can allow DCO sign-offs by policy without requiring individual legal review for each contribution.
The practical advice: build a short list of approved open source projects that engineers may contribute to without individual legal review. For everything outside that list, route through a lightweight approval process that takes 1-2 days. This balances the company's interest in open source engagement (which attracts talent and builds community goodwill) with appropriate IP oversight.
For teams building a complete internal OSS governance posture, our guides on EU digital sovereignty and OSS adoption and the AGPL license debate cover the regulatory and licensing landscape that shapes the decisions your compliance program will need to make.