Legalfile

The Opportunity

When government agencies build digital services, they often use free, open-source software (OSS) components to save time and taxpayer money. But these components come with legal rules about how they can be used, shared, and modified (i.e. license terms). Right now, government teams have no easy way to check if they're following these rules correctly.

Currently, checking software licenses requires weeks of manual legal and policy review for each project. Teams may either skip this step entirely (creating risk) or get stuck waiting for review of hundreds of software components one by one. This slows down government digital services and wastes resources that could be diverted to building solutions to help citizens instead.

We have prototyped an automated tool to scan government software and instantly flag potential OSS licensing problems before code gets shared or deployed. This protects the government from legal liability while letting our digital teams move faster and share solutions more confidently with other agencies and countries.

What's Been Built

Government teams can now check their software products for license violations with each change they make to their product. These checks happen in minutes, where previously, such a check would have taken days or weeks by a lawyer or other legal expert conducting manual legal and policy review.

The tool is integrated into a software team's existing pipeline to build and release their software (the CI/CD pipeline), and works like this:

• when developers are ready to deploy their code, a tool automatically creates a list of every software component they're using (a Software Bill of Materials, or SBOM), similar to how a recipe for a cake has a list of ingredients. Crucially, this list also contains information about each component's OSS license, effectively the legal terms and requirements to use the component.

• another tool then processes the SBOM, checking each component's legal requirements against policy, written in a form that the tool understands, and immediately flags any problems.

This catches issues that would otherwise take laborious manual reviews by a legal expert, like when the same software component lists conflicting licenses in different files, or when combining certain licenses creates unexpected legal restrictions.

Because it runs as part of an engineering team’s CI/CD pipeline, these checks can now happen much more frequently, namely, with each change made to the software, than if one were to rely on arranging for manual reviews. Issues would hence be caught when the change happens, rather than go unnoticed and accumulate up to the point of manual legal review.

Teams also get a clear report showing exactly which components are safe to use and which ones need attention.

We also built an SBOM license visualiser at legalfile.on.spaceship.gov.sg (Singapore Government email required for login), where teams can upload their projects and see results immediately.

The License Visualiser for Legalfile (legalfile.on.spaceship.gov.sg)

What's working now

Teams can run a check typical government web applications in under 5 minutes and get detailed reports on license compliance, without much change to their existing workflows.

What still needs work

The system doesn't yet catch custom legal terms that some software authors add beyond standard licenses.

Traction

The tool was added by 3 teams participating in Hack for Public Good 2026 - SpeakEasy, isitdown and open47. This in turn will allow teams to save roughly two days of effort, both from the product team as well as the legal reviewer, that would otherwise have been spent compiling and reviewing an SBOM.

This product can be foundational work for the tooling team to build upon to supplement or supersede an org-wide open-source software license scanner that was built earlier by an intern.

The tooling team may opt to refine our work to introduce the CI/CD tools we built as part of OGP’s StarterKit and NestKit.

Fixes and enhancements made to SemClone's tools that we depend on have been merged upstream.

Source Code

• Legal Action - a GitHub Action, added to CI/CD setups, that uses legalfile's components to scan a codebase for open-source licenses and reports related legal liability.