Skip to main content
Hack for Public Good
Tooling & Productivity

Legalfile

3 February 2026

Automate checks on your software for open-source licensing and legal liability

The Opportunity

When government agencies build digital services, they often use free, open-source software (OSS) components to save time and taxpayer money. But these components come with legal rules about how they can be used, shared, and modified (i.e. license terms). Right now, government teams have no easy way to check if they're following these rules correctly.

Currently, checking software licenses requires weeks of manual legal and policy review for each project. Teams may either skip this step entirely (creating risk) or get stuck waiting for review of hundreds of software components one by one. This slows down government digital services and wastes resources that could be diverted to building solutions to help citizens instead.

We have prototyped an automated tool to scan government software and instantly flag potential OSS licensing problems before code gets shared or deployed. This protects the government from legal liability while letting our digital teams move faster and share solutions more confidently with other agencies and countries.

What's Been Built

Government teams can now automatically scan their software projects for license violations in minutes instead of waiting days or weeks for manual legal and policy review.

We built a scanning system that works like this:

  • when developers are ready to deploy their code, a tool automatically creates an inventory of every software component they're using (a Software Bill of Materials, or SBOM)

  • another tool then processes the SBOM, checking each component's legal requirements against policy, defined as a configuration file, and immediately flag any problems before the software goes live.

This catches issues that would otherwise take laborious manual reviews, like when the same software component lists conflicting licenses in different files, or when combining certain licenses creates unexpected legal restrictions. Because it runs as part of an engineering team’s CI/CD pipeline, these checks can now happen much more frequently, than if one were to rely on arranging for manual reviews. Issues would hence be caught in more timely fashion.

Teams also get a clear report showing exactly which components are safe to use and which ones need attention.

We also built an SBOM license visualiser at legalfile.on.spaceship.gov.sg (Singapore Government email required for login), where teams can upload their projects and see results immediately.


A screenshot of the web-based Legalfile License Visualiser

The License Visualiser for Legalfile (legalfile.on.spaceship.gov.sg)

What's working now

Teams can scan typical government web applications in under 5 minutes and get detailed reports on license compliance.

What still needs work

The system doesn't yet catch custom legal terms that some software authors add beyond standard licenses.

Traction

This product is foundational work for the tooling team to build upon to supplement or supersede an org-wide open-source software license scanner that was built earlier by an intern.

The tooling team may opt to refine our work to introduce the CI/CD tools we built as part of OGP’s StarterKit and NestKit.

Fixes and enhancements made to SemClone's tools that we depend on have been merged upstream.

Source Code

  • Legal Action - a GitHub Action, added to CI/CD setups, that uses legalfile's tools to scan a codebase for open-source licenses and reports related legal liability.

Back to top