# 📜 Open-Source License & Dependency Audit API (`taroyamada/open-source-license-dependency-audit`) Actor Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture. One clean summary row per package — no brittle scraping, just stable registry metadata. Perfect for legal/compliance teams, engineering leads, and procurement workflows. - **URL**: https://apify.com/taroyamada/open-source-license-dependency-audit.md - **Developed by:** [åĪŠéƒŽ åąąį”°](https://apify.com/taroyamada) (community) - **Categories:** Developer tools, Automation, Business - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $8.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## 📜 Open-Source License & Dependency Audit API Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture. One clean summary row per package — no brittle scraping, just stable registry metadata. Perfect for legal/compliance teams, engineering leads, and procurement workflows. ### Store Quickstart Run this actor with your target input. Results appear in the Apify Dataset and can be piped to webhooks for real-time delivery. Use `dryRun` to validate before committing to a schedule. ### Key Features - â€Ē **License classification** — Categorize as permissive, weak-copyleft, strong-copyleft, or unknown - â€Ē **Configurable policy** — `permissive` (strict), `copyleft-ok` (tolerant), or `custom` allow/deny lists - â€Ē **Transitive dependency crawl** — Audit nested deps up to 3 levels deep - â€Ē **Risk scoring** — 0-100 score with A-F grades per package - â€Ē **Maintainer signals** — Maintainer count, last publish date, deprecation status - â€Ē **Summary-first** — One row per package with aggregate transitive risk ### Use Cases | Who | Why | |-----|-----| | Developers | Automate recurring data fetches without building custom scrapers | | Data teams | Pipe structured output into analytics warehouses | | Ops teams | Monitor changes via webhook alerts | | Product managers | Track competitor/market signals without engineering time | ### Input | Field | Type | Default | Description | |-------|------|---------|-------------| | packages | array | prefilled | npm package names to audit (max 200). | | licensePolicy | string | `"permissive"` | Which license policy to apply: 'permissive' flags copyleft licenses as high risk, 'copyleft-ok' treats copyleft as mediu | | allowList | array | `[]` | SPDX identifiers to treat as approved (only used when licensePolicy=custom). | | denyList | array | `[]` | SPDX identifiers to treat as denied (only used when licensePolicy=custom). | | maxDepth | integer | `1` | Maximum transitive dependency depth to crawl (0 = direct only, 1 = one level deep, etc.). | | includeDevDeps | boolean | `false` | Also audit devDependencies of each package. | | concurrency | integer | `5` | Number of parallel requests | | timeoutMs | integer | `15000` | Request timeout in milliseconds | #### Input Example ```json { "packages": [ "express", "react", "lodash", "axios" ], "licensePolicy": "permissive", "allowList": [], "denyList": [], "maxDepth": 1, "includeDevDeps": false, "concurrency": 5, "timeoutMs": 15000, "delivery": "dataset", "dryRun": false } ```` ### Output | Field | Type | Description | |-------|------|-------------| | `meta` | object | | | `results` | array | | | `results[].package` | string | | | `results[].version` | string | | | `results[].license` | string | | | `results[].licenseFamily` | string | | | `results[].riskLevel` | string | | | `results[].description` | string | | | `results[].author` | null | | | `results[].homepage` | string (url) | | | `results[].repository` | string (url) | | | `results[].maintainerCount` | number | | | `results[].lastPublish` | timestamp | | | `results[].daysSincePublish` | number | | | `results[].deprecated` | null | | | `results[].directDeps` | number | | | `results[].devDeps` | number | | | `results[].transitiveDeps` | number | | | `results[].transitiveRiskSummary` | object | | | `results[].score` | object | | | `results[].auditedAt` | timestamp | | | `results[].error` | null | | #### Output Example ```json { "meta": { "generatedAt": "2026-06-15T12:00:00.000Z", "policy": "permissive", "maxDepth": 1, "totals": { "audited": 3, "errors": 0, "highRisk": 0, "mediumRisk": 0, "lowRisk": 3, "gradeA": 2, "gradeB": 1, "gradeC": 0, "gradeD": 0, "gradeF": 0, "deprecated": 0 } }, "results": [ { "package": "express", "version": "4.21.0", "license": "MIT", "licenseFamily": "permissive", "riskLevel": "low", "description": "Fast, unopinionated, minimalist web framework", "author": null, "homepage": "http://expressjs.com/", "repository": "https://github.com/expressjs/express", "maintainerCount": 4, "lastPublish": "2024-09-11T00:00:00.000Z", "daysSincePublish": 45, "deprecated": null, "directDeps": 30, "devDeps": 0, "transitiveDeps": 48, "transitiveRiskSummary": { "total": 48, "high": 0, ``` ### API Usage Run this actor programmatically using the Apify API. Replace `YOUR_API_TOKEN` with your token from [Apify Console → Settings → Integrations](https://console.apify.com/account/integrations). #### cURL ```bash curl -X POST "https://api.apify.com/v2/acts/taroyamada~open-source-license-dependency-audit/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "packages": [ "express", "react", "lodash", "axios" ], "licensePolicy": "permissive", "allowList": [], "denyList": [], "maxDepth": 1, "includeDevDeps": false, "concurrency": 5, "timeoutMs": 15000, "delivery": "dataset", "dryRun": false }' ``` #### Python ```python from apify_client import ApifyClient client = ApifyClient("YOUR_API_TOKEN") run = client.actor("taroyamada/open-source-license-dependency-audit").call(run_input={ "packages": [ "express", "react", "lodash", "axios" ], "licensePolicy": "permissive", "allowList": [], "denyList": [], "maxDepth": 1, "includeDevDeps": false, "concurrency": 5, "timeoutMs": 15000, "delivery": "dataset", "dryRun": false }) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) ``` #### JavaScript / Node.js ```javascript import { ApifyClient } from 'apify-client'; const client = new ApifyClient({ token: 'YOUR_API_TOKEN' }); const run = await client.actor('taroyamada/open-source-license-dependency-audit').call({ "packages": [ "express", "react", "lodash", "axios" ], "licensePolicy": "permissive", "allowList": [], "denyList": [], "maxDepth": 1, "includeDevDeps": false, "concurrency": 5, "timeoutMs": 15000, "delivery": "dataset", "dryRun": false }); const { items } = await client.dataset(run.defaultDatasetId).listItems(); console.log(items); ``` ### Tips & Limitations - Schedule weekly runs against your production domains to catch config drift. - Use webhook delivery to pipe findings into your SIEM (Splunk, Datadog, Elastic). - For CI integration, block releases on `critical` severity findings using exit codes. - Combine with `ssl-certificate-monitor` for layered cert + headers coverage. - Findings include links to official remediation docs — share with dev teams via the webhook payload. ### FAQ **Is running this against a third-party site legal?** Passive public-header scanning is generally permitted, but follow your own compliance policies. Only scan sites you have authorization for. **How often should I scan?** Weekly for production domains; daily if you have high config-change velocity. **Can I export to a compliance tool?** Use webhook delivery or Dataset API — formats map well to Drata, Vanta, OneTrust import templates. **Is this a penetration test?** No — this actor performs passive compliance scanning only. No exploitation, fuzzing, or auth bypass. **Does this qualify as a SOC2 control?** This actor produces evidence artifacts suitable for SOC2 CC7.1 (continuous monitoring). It is not itself a SOC2 certification. ### Related Actors Security & Compliance cluster — explore related Apify tools: - [Privacy & Cookie Compliance Scanner | GDPR / CCPA Banner Audit](https://apify.com/taroyamada/privacy-cookie-compliance-scanner) — Scan public privacy pages and cookie banners for GDPR/CCPA compliance signals. - [Security Headers Checker API | OWASP Audit](https://apify.com/taroyamada/security-headers-checker) — Bulk-audit websites for OWASP security headers, grade each response, and monitor header changes between runs. - [SSL Certificate Monitor API | Expiry + Issuer Changes](https://apify.com/taroyamada/ssl-certificate-monitor) — Check SSL/TLS certificates in bulk, detect expiry and issuer changes, and emit alert-ready rows for ops and SEO teams. - [DNS / SPF / DKIM / DMARC Audit API](https://apify.com/taroyamada/dns-dmarc-security-checker) — Bulk-audit domains for SPF, DKIM, DMARC, MX, and email-auth posture with grades and fix-ready recommendations. - [robots.txt AI Policy Monitor | GPTBot ClaudeBot](https://apify.com/taroyamada/robotstxt-ai-checker) — Detect GPTBot, ClaudeBot, Google-Extended, and other AI crawler policies in robots. - [Data Breach Disclosure Monitor | HIPAA Breach Watch](https://apify.com/taroyamada/data-breach-disclosure-monitor) — Monitor the HHS OCR Breach Portal for new HIPAA data breach disclosures. - [WCAG Accessibility Checker API | ADA & EAA Compliance Audit](https://apify.com/taroyamada/wcag-accessibility-checker) — Audit websites for WCAG 2. - [Trust Center & Subprocessor Monitor API](https://apify.com/taroyamada/trust-center-subprocessor-monitor) — Monitor vendor trust centers, subprocessor lists, DPA updates, and security posture changes. ### Cost **Pay Per Event**: - `actor-start`: $0.01 (flat fee per run) - `dataset-item`: $0.003 per output item **Example**: 1,000 items = $0.01 + (1,000 × $0.003) = **$3.01** No subscription required — you only pay for what you use. # Actor input Schema ## `packages` (type: `array`): npm package names to audit (max 200). ## `licensePolicy` (type: `string`): Which license policy to apply: 'permissive' flags copyleft licenses as high risk, 'copyleft-ok' treats copyleft as medium risk, 'custom' uses allowList/denyList. ## `allowList` (type: `array`): SPDX identifiers to treat as approved (only used when licensePolicy=custom). ## `denyList` (type: `array`): SPDX identifiers to treat as denied (only used when licensePolicy=custom). ## `maxDepth` (type: `integer`): Maximum transitive dependency depth to crawl (0 = direct only, 1 = one level deep, etc.). ## `includeDevDeps` (type: `boolean`): Also audit devDependencies of each package. ## `concurrency` (type: `integer`): Number of parallel requests ## `timeoutMs` (type: `integer`): Request timeout in milliseconds ## `delivery` (type: `string`): Where to send results: dataset or webhook ## `webhookUrl` (type: `string`): Webhook URL to POST results to (if delivery=webhook) ## `dryRun` (type: `boolean`): Run without saving results (for testing) ## Actor input object example ```json { "packages": [ "express", "react", "lodash", "axios" ], "licensePolicy": "permissive", "allowList": [], "denyList": [], "maxDepth": 1, "includeDevDeps": false, "concurrency": 5, "timeoutMs": 15000, "delivery": "dataset", "dryRun": false } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "packages": [ "express", "react", "lodash", "axios" ] }; // Run the Actor and wait for it to finish const run = await client.actor("taroyamada/open-source-license-dependency-audit").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`ðŸ’ū Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "packages": [ "express", "react", "lodash", "axios", ] } # Run the Actor and wait for it to finish run = client.actor("taroyamada/open-source-license-dependency-audit").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("ðŸ’ū Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "packages": [ "express", "react", "lodash", "axios" ] }' | apify call taroyamada/open-source-license-dependency-audit --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=taroyamada/open-source-license-dependency-audit", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "📜 Open-Source License & Dependency Audit API", "description": "Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture. One clean summary row per package — no brittle scraping, just stable registry metadata. Perfect for legal/compliance teams, engineering leads, and procurement workflows.", "version": "0.1", "x-build-id": "kbH2p632GAQUFd2wh" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/taroyamada~open-source-license-dependency-audit/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-taroyamada-open-source-license-dependency-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/taroyamada~open-source-license-dependency-audit/runs": { "post": { "operationId": "runs-sync-taroyamada-open-source-license-dependency-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/taroyamada~open-source-license-dependency-audit/run-sync": { "post": { "operationId": "run-sync-taroyamada-open-source-license-dependency-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "packages" ], "properties": { "packages": { "title": "Package Names", "type": "array", "description": "npm package names to audit (max 200).", "items": { "type": "string" } }, "licensePolicy": { "title": "License Policy", "enum": [ "permissive", "copyleft-ok", "custom" ], "type": "string", "description": "Which license policy to apply: 'permissive' flags copyleft licenses as high risk, 'copyleft-ok' treats copyleft as medium risk, 'custom' uses allowList/denyList.", "default": "permissive" }, "allowList": { "title": "Allowed Licenses (custom policy)", "type": "array", "description": "SPDX identifiers to treat as approved (only used when licensePolicy=custom).", "default": [], "items": { "type": "string" } }, "denyList": { "title": "Denied Licenses (custom policy)", "type": "array", "description": "SPDX identifiers to treat as denied (only used when licensePolicy=custom).", "default": [], "items": { "type": "string" } }, "maxDepth": { "title": "Max Dependency Depth", "minimum": 0, "maximum": 3, "type": "integer", "description": "Maximum transitive dependency depth to crawl (0 = direct only, 1 = one level deep, etc.).", "default": 1 }, "includeDevDeps": { "title": "Include devDependencies", "type": "boolean", "description": "Also audit devDependencies of each package.", "default": false }, "concurrency": { "title": "Concurrency", "minimum": 1, "maximum": 10, "type": "integer", "description": "Number of parallel requests", "default": 5 }, "timeoutMs": { "title": "Timeout (ms)", "minimum": 1000, "maximum": 30000, "type": "integer", "description": "Request timeout in milliseconds", "default": 15000 }, "delivery": { "title": "Delivery", "enum": [ "dataset", "webhook" ], "type": "string", "description": "Where to send results: dataset or webhook", "default": "dataset" }, "webhookUrl": { "title": "Webhook URL", "type": "string", "description": "Webhook URL to POST results to (if delivery=webhook)" }, "dryRun": { "title": "Dry Run", "type": "boolean", "description": "Run without saving results (for testing)", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```