Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ComplianceLicense Compliance

Open source licenses can sink a deal. Know what you're shipping.

GPL in a commercial product. AGPL in a SaaS. A copyleft dependency buried three levels deep. O3 finds every license across your entire dependency graph and flags anything that conflicts with how you distribute your software.

O3 · License Policy Check
2 conflicts
[email protected]MIT · direct
Approved
[email protected]GPL-3.0 · transitive
Copyleft
[email protected]MIT · transitive
Approved
[email protected]AGPL-3.0 · transitive
Network use
[email protected]MIT · direct
Approved

✗ Policy violation: AGPL-3.0 detected in SaaS deployment path. Build blocked.

FULL DEPENDENCY GRAPH SCAN

Every license. Every layer. Every transitive dependency.

Catalogues every license across your entire dependency tree — direct dependencies, transitive packages, and deeply nested sub-dependencies — automatically on every pull request.

Direct and transitive licenses catalogued automatically
SPDX expression parsing (AND, OR, WITH operators)
Custom policy allow/deny rules per repository
CI build blocked on first unapproved license detection
O3 · License Policy Check
2 conflicts
[email protected]MIT · direct
Approved
[email protected]GPL-3.0 · transitive
Copyleft
[email protected]MIT · transitive
Approved
[email protected]AGPL-3.0 · transitive
Network use
[email protected]MIT · direct
Approved

✗ Policy violation: AGPL-3.0 detected in SaaS deployment path. Build blocked.

COPYLEFT CONFLICT ANALYSIS

GPL at depth 3 still triggers copyleft. We find it.

Identifies GPL, AGPL, and LGPL licenses that conflict with your distribution model — and traces the full dependency chain showing exactly where the conflict originates, even three or four levels deep.

GPL/AGPL/LGPL conflict detection in full dep tree
Full chain shown from your code to the conflict
LGPL dynamic vs. static linking analysis
Network copyleft (AGPL) flagged for SaaS products
O3 · Copyleft Conflict Trace
Chain depth: 3
your-appYour code
Proprietary
MIT
[email protected]Transitive L1
BSD-3-Clause
[email protected]Transitive L2
GPL-3.0

GPL-3.0 at depth 3 · Conflicts with commercial distribution · Fix: replace gpl-parser or isolate behind a service boundary.

CI POLICY ENFORCEMENT

Define the policy once. Enforce it everywhere, automatically.

Fail builds when unapproved licenses appear. Define your license policy once per repository and enforce it automatically on every pull request across your entire organization.

Policy defined as code (YAML/JSON config)
Per-repository allow/deny overrides supported
PR blocked immediately on first violation detection
Slack/GitHub notification with exact package and license
O3 · License Policy Enforcement
Build Blocked
# .o3/license-policy.yml
allowed:
- MIT
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
blocked:
- GPL-3.0
- AGPL-3.0
- LGPL-2.1
Dependency graph scan
Done
License detection
Done
Policy enforcement check
Failed

Build blocked · [email protected] (GPL-3.0) violates policy · PR cannot merge

M&A DUE DILIGENCE

Know the legal exposure. Before the deal closes.

Generate board-ready license due diligence reports from any repository in minutes — covering every license obligation in an acquisition target so you know exactly what you're buying.

Comprehensive license report from any repo in minutes
Copyleft obligations and remediation cost estimated
AGPL/SaaS delivery conflicts flagged with legal note
Executive summary formatted for board presentation
O3 · M&A Due Diligence Report — AcquiCo Software
Confidential
14
Total licenses
11
Policy compliant
3
Requires review
backend-coreAGPL-3.0
SaaS delivery triggers copyleft
High
pdf-rendererLGPL-2.1
Dynamic linking — review needed
Medium
legacy-parserGPL-2.0
Must be removed or isolated
High
FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • Copyleft licenses like GPL and AGPL require derivative works to be released under the same terms. For commercial software, this can mean being forced to open-source proprietary code, void licensing arrangements, or face infringement claims. These obligations are triggered not just by direct dependencies but by transitive ones buried deep in the dependency graph, which is why automated detection across the full tree is essential.
  • GPL (General Public License) requires any software that incorporates GPL code to be distributed under GPL terms. LGPL (Lesser GPL) allows linking to LGPL libraries without triggering copyleft, but modifications to the library itself must remain open. AGPL (Affero GPL) extends GPL copyleft to network use, providing a SaaS application that uses AGPL code triggers the same source-disclosure obligations as distributing it.
  • O3 builds a full dependency graph from your package manifest files, including all transitive dependencies at every depth level. It parses SPDX license expressions for each package, applies your organization's license policy, and flags any conflict with the complete dependency chain shown so you know exactly where the problematic license originates.
  • Yes. O3 generates board-ready license due diligence reports for acquisition targets. The report covers every unique license detected, policy compliance status, specific components requiring legal review, and the risk level of each obligation. These reports can be generated within minutes of connecting to a target repository.
  • O3 integrates with GitHub Actions, GitLab CI, Jenkins, and other CI/CD platforms. You define a license policy (approved licenses, denied licenses, require-review licenses) once in your organization settings. O3 then evaluates every pull request against that policy and blocks merges when unapproved licenses appear, before they reach production.