LicenseHound

Your customer just asked for an SBOM.
You have hours, not days.

LicenseHound walks every transitive dependency in your repo, maps each to an SPDX license, and flags the ones procurement is going to flinch at — AGPL in your product code, "or later" clauses, packages with no metadata at all. Free CLI. Free GitHub Action. Paid dashboard when you're ready.

Get the v0.1 release (and the SBOM-request playbook):

No spam. Unsubscribe link in every email. We'll send you exactly two things: launch announcement, and a one-pager on responding to procurement license questions.

The problem, concretely

You ship a B2B SaaS product. A customer's procurement team sends a checklist with "send your SBOM" or "list all OSS licenses you ship." You have three days.
Your CTO runs licensee or pip-licenses. The output is incomplete: dual-licensed packages get the wrong license, packages without SPDX metadata are skipped, transitive deps are missed.
You buy a SOC2-flavoured SCA platform like Snyk, FOSSA, or Black Duck. They start at $10k/year — overkill for the question you're trying to answer this week.
You ship anyway, hope nothing's breaking, and add "fix license compliance" to the diligence-prep backlog. It stays there.

What LicenseHound does

Walks your lockfiles: package-lock.json, pnpm-lock.yaml, uv.lock, poetry.lock, Cargo.lock, go.sum. Transitive deps included.
Maps every package to its actual license using SPDX license IDs and the SPDX license-list-data corpus. When the metadata is ambiguous (dual-licensed, "or later"), we say so explicitly instead of guessing.
Applies your policy: e.g. "no AGPL in product code, allowed in build tooling." Policy-as-code; check it into the repo with everything else.
Comments on PRs via a free GitHub Action. Block merges that introduce a forbidden license; let through ones that don't.
Hands you a procurement-ready PDF (Team tier and up). Auditor-friendly format: package, version, license, source URL, hash.

30-second tour

$ pip install licensehound
$ licensehound scan .
Lockfiles scanned:
  ✓ /Users/dev/myapp/package-lock.json (147 packages)
  ✓ /Users/dev/myapp/uv.lock (38 packages)

License summary:
  MIT                    98 packages
  Apache-2.0             42 packages
  BSD-3-Clause           18 packages
  ISC                    14 packages
  GPL-3.0-or-later        2 packages
  (no metadata)           3 packages

  ⚠ 3 package(s) had no license metadata in the lockfile.
    Review manually or upgrade your lockfile.

v0.0.1 is shipping now — the parsers for npm and Python uv work today. pip install licensehound packaged on PyPI in a few days; meanwhile see the GitHub repo.

Pricing

Free

CLI + GitHub Action
1 repo
Built-in policy
Community support

Starter

$79/mo

5 repos
Custom policies
Slack alerts
Historical SBOM

Team

$199/mo

25 repos
Procurement PDF exports
Branch protection enforcement
Per-repo policy

Business

$499/mo

Unlimited repos
SSO / SAML
Audit log export
API access

Need this before the hosted dashboard ships? Early-access program is open: free CLI now plus weekly procurement-ready PDFs generated for you, until the dashboard lands. Email licensehound@quantcalc.app with a sentence about your stack and the customer/auditor ask.

Background reading

Questions

How is this different from Snyk Open Source / FOSSA / Black Duck?

Those tools are excellent and cost $10k–$50k/year because they sell into legal/security teams at companies that already have a compliance budget. LicenseHound sells into engineering at companies that don't — yet. We do less, on purpose, and we cost less.

How is this different from `licensee` / `pip-licenses` / Dependabot's license check?

Those are great free tools that handle the easy 80%. LicenseHound is built around the 20% that bites: dual-licensed packages, transitive resolution, "or later" clauses, packages with no SPDX metadata. We surface ambiguity instead of hiding it.

Is the CLI open source?

Yes. Apache 2.0 on GitHub. The hosted dashboard, multi-repo policy management, and procurement PDFs are the paid parts.

What if I just need to answer one customer's SBOM request and never again?

The free CLI handles that. Run licensehound scan --report sbom.pdf (in v0.0.2), send the PDF, done.

When does this ship?

v0.0.1 with the JavaScript / Python lockfile parsers and the basic CLI is on GitHub now. PyPI release in a few days. Rust and Go follow in June 2026. Hosted dashboard in July.

Your customer just asked for an SBOM.You have hours, not days.