🛡️ Org Compliance Toolkit

An automated license compliance and open-source readiness tool. Built with uv and ScanCode Toolkit.

🚀 Purpose

This toolkit helps developers determine if their repository is ready for an Open Source release. It:

1. Scans all dependencies for licenses.
2. Flags licenses that hinder commercial or proprietary releases.
3. Recommends the best Open Source license (MIT, Apache, GPL, or AGPL).
4. Generates a valid LICENSE file automatically from official SPDX templates.

---

🛠️ Usage in GitHub Actions

To use this in your project's repository, add a workflow file (e.g., .github/workflows/compliance.yml):

name: OS Readiness Check
on: [pull_request, workflow_dispatch]

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run License Recommender
        uses: your-org-name/compliance-toolkit/.github/actions/license-check@main
        with:
          apply_fix: 'false' # Set to 'true' to auto-generate a LICENSE file

💻 Local Development

If you want to contribute to this toolkit, follow these steps:

1. Prerequisites

Install uv (the ultra-fast Python package manager):

curl -LsSf [https://astral-sh.net/uv/install.sh](https://astral-sh.net/uv/install.sh) | sh

2. Running the tool

You can run the tool directly against any directory. uv will handle the dependencies and isolation automatically.

uv run compliance_tool.py [path/to/repo]

3. Formatting & Quality

We use Ruff for linting and Pytest for logic verification. Ensure these pass before pushing code:

# Check code style and fix common issues
uvx ruff check . --fix

# Run logic tests to ensure recommendations are accurate
uv run pytest

⚡ Quick Setup (Automatic Onboarding)

The easiest way to add compliance checks to your repository is to run our setup command.

From the root of your project, run:

uv run --with-editable [https://github.com/your-org/compliance-toolkit](https://github.com/your-org/compliance-toolkit) compliance_tool.py . --setup

This will automatically create .github/workflows/compliance.yml in your repo, configured to use our organization's latest standards.

💬 Automatic PR Feedback

Once installed, every Pull Request will trigger a scan. The results appear in the Actions tab.

If you want the tool to automatically generate a LICENSE file for you, simply run the workflow manually from the "Actions" tab in GitHub and set the apply_fix input to true.

1. How it looks for the User

When a user runs the --setup command:

1. uv pulls your script from the central toolkit repo.
2. The script detects their project structure.
3. It writes the .github/workflows/compliance.yml file.
4. The user simply runs git add . && git commit -m "add compliance check".

---

2. Why this is the "Gold Standard" implementation

• Zero Manual Copy-Paste: Users hate copying YAML files. This eliminates errors.
• Version Control: By pointing to @main in the generated YAML, you can update the logic in your toolkit, and every project in the org gets the update automatically without changing their own code.
• Visibility: It makes the "Compliance Check" a standard part of the repo's health, just like unit tests or linting.

⚖️ License Logic

The tool evaluates your project's "Inbound" dependencies (what you use) to determine the safest "Outbound" license (what you release under).

Dependency License	Recommended Release	Commercial Allowed?	Rationale
MIT / Apache / BSD	Apache-2.0 or MIT	✅ Yes	Permissive licenses allow for both open and proprietary re-distribution.
LGPL	Apache-2.0	⚠️ Restricted	Allowed commercially if the library is dynamically linked and not modified.
GPL (v2 or v3)	GPL-3.0-only	❌ No	Strong copyleft "viral" effect requires your project to be Open Source.
AGPL	AGPL-3.0-only	❌ No	Extends copyleft to network services (SaaS). Your source must be public.