Comply

AI-powered open source license compliance agent.

Comply scans your codebase, resolves licenses for every dependency, evaluates compliance against your policy, and uses AI to analyze *how* flagged packages are actually used — because "GPL detected" isn't the same as "GPL obligations triggered."

Existing tools (FOSSA, Snyk, WhiteSource) flag licenses but don't reason about context. They'll tell you "GPL detected in 14 packages" with zero context about whether your specific usage actually triggers copyleft obligations. The answer depends on your distribution model, how the code is linked, and whether you're shipping a product or running a service. Those tools don't make that distinction.

Comply does. It reads your actual source code to determine whether the way you use a package triggers its license terms. GPL in a SaaS product that's never distributed? Usually fine. GPL in a CLI tool shipped to customers? That's a real problem. AGPL in anything network-facing? Red alert. Comply makes those distinctions automatically.

• PE/M&A Due Diligence — Scan every repo in a target company's GitHub org. Hand the executive summary to counsel. Attach the detailed reports to the diligence memo.
• Engineering Compliance — Run in CI, fail builds on new violations, generate NOTICES files automatically.
• Legal Teams — Human-readable reports with severity tiers, plain-English executive summaries, and specific remediation steps.
• Open Source Maintainers — Keep your dependency tree clean. Auto-generate the NOTICES/ATTRIBUTION file most projects forget.

# Scan the current directory
npx comply-oss scan .

# Or install globally
npm install -g comply-oss
comply scan /path/to/your/repo --verbose

Core audit command. Scans a repository and produces a full compliance report.

comply scan .                           # Basic scan
comply scan . --verbo