Aikido
License Risk

Manage Open-Source License Risk & SBOMs

Identify risky open-source licenses in your dependencies and generate SBOMs for compliance.

  • Get a full overview of all licenses in use
  • Adjust license risk scoring & filter out internal licenses
  • Generate an SBOM (Software Bill Of Materials)
Your data won't be shared · Read-only access · No CC required
Dashboard with autofixes tab

"With Aikido, we can fix an issue in just 30 seconds – click a button, merge the PR, and it’s done."

"Aikido's auto-remediation feature is a huge time-saver for our teams. It cuts through the noise, so our developers can focus on what really matters."

“With Aikido, security is just part of the way we work now. It’s fast, integrated, and actually helpful for developers.”

Chosen by 25,000+ orgs worldwide

Importance of License Risk

Why License Scanning Matters

down arrow

Some open-source licenses have clauses that could force you to open-source your own code.

It’s crucial to ensure none of your dependencies carry licenses that threaten your business’s IP.

License scanning also prepares you to provide SBOMs during security audits.

Vanta

Get an Overview on License Risk

Get a complete overview of all licenses in use and the risk associated with each.

Vanta

Easily Export SBOMs

Export a CycloneDX SBOM with one click (or a CSV list, if needed).

Features

License scanning features

Generate SBOMs Instantly

Security audits often demand a full SBOM. Aikido lets you analyze, review, and export your software bill of materials anytime—in CycloneDX, SPDX, or CSV formats.

Aikido create sbom

Actionable License Insights

License noise is overwhelming. Aikido filters the signal using an LLM-powered engine and multiple data sources to score severity. Risky licenses rise to the top—so you can act fast, assign tasks, and clean up your SBOM as you go.

Flexible License Risk Controls

Easily adjust how license risk is scored. You can mark certain licenses as “internal” to filter them out of your reports.

No Legal Jargon, Just License Facts

Aikido’s vetted license database translates complex legal jargon into plain, actionable language. Quickly understand each license’s obligations and risks.

Full License Coverage, Including Containers

Most license tools only scan your repositories. Aikido gives you full coverage by scanning the licenses inside your container images as well.

Virtual Machine Scanning

Meet Software Compliance Standards

Regulators are increasingly focused on software transparency. Aikido makes it easy to generate SBOMs (Software Bill of Materials) to meet key compliance requirements around software supply chain security.

Clear Copyright Attribution

Automatically includes accurate copyright info for every component—so legal teams can review, verify, and comply without digging through source files.

1{
2  "name": "react",
3  "version": "18.2.0",
4  "licenses": [{ "license": { "id": "MIT" } }],
5  "purl": "pkg:npm/react@18.2.0",
6  "copyright":
7    "Copyright (c) Facebook, Inc. and its affiliates."
8}

Full Coverage in One Platform

Replace your scattered toolstack with one platform that does it all—and shows you what matters.

Code

Dependencies

Find vulnerable open-source packages in your dependencies, including transitive ones.

Learn more
Cloud

Cloud (CSPM)

Detects cloud infrastructure risks (misconfigurations, VMs, Container images) across major cloud providers.

Learn more
Code

Secrets

Checks your code for leaked and exposed API keys, passwords, certificates, encryption keys, etc...

Learn more
Code

Static Code Analysis (SAST)

Scans your source code for security risks before an issue can be merged.

Learn more
Code

Infrastructure as Code Scanning (IaC)

Scans Terraform, CloudFormation & Kubernetes infrastructure-as-code for misconfigurations.

Learn more
Test

Dynamic Testing (DAST)

Dynamically tests your web app’s front-end & APIs to find vulnerabilities through simulated attacks.

Learn more
Code

License Risk & SBOMs

Monitors your licenses for risks such as dual licensing, restrictive terms, bad reputation, etc... And generate SBOMs.

Learn more
Code

Outdated Software (EOL)

Checks if any frameworks & runtimes you are using are no longer maintained.

Learn more
Cloud

Container Images

Scans your container images for packages with security issues.

Learn more
Code

Malware

Prevent malicious packages from infiltrating your software supply chain. Powered by Aikido Intel.

Learn more
Test

API Scanning

Automatically map out and scan your API for vulnerabilities.

Learn more
Cloud

Virtual Machines

Scans your virtual machines for vulnerable packages, outdated runtimes and risky licenses.

Learn more
Defend

Runtime Protection

An in-app firewall for peace of mind. Automatically block critical injection attacks, introduce API rate limiting & more

Learn more
Code

IDE Integrations

Fix issues as you code– not after. Get in-line advice to fix vulnerabilities before commit.

Learn more
Code

On-Prem Scanner

Run Aikido’s scanners inside your environment.

Learn more
Code

CI/CD Security

Automate security for every build & deployment.

Learn more
Cloud

AI Autofix

One-click fixes for SAST, IaC, SCA & containers.

Learn more
Cloud

Cloud Asset Search

Search your entire cloud environment with simple queries to instantly find risks, misconfigurations, and exposures.

Learn more

Has Aikido itself been security tested?

Yes — we run yearly third-party pentests and maintain a continuous bug bounty program to catch issues early.

Can I also generate an SBOM?

Yes - you can export a full SBOM in CycloneDX, SPDX, or CSV format with one click. Just open the Licenses & SBOM report to see all your packages and licenses.

What do you do with my source code?

Aikido does not store your code after analysis has taken place. Some of the analysis jobs such as SAST or Secrets Detection require a git clone operation. More detailed information can be found on docs.aikido.dev.

Can I try Aikido without giving access to my own code?

Yes - you can connect a real repo (read-only access), or use our public demo project to explore the platform. All scans are read-only and Aikido never makes changes to your code. Fixes are proposed via pull requests you review and merge.

I don’t want to connect my repository. Can I try it with a test account?

Of course! When you sign up with your git, don’t give access to any repo & select the demo repo instead!

Does Aikido make changes to my codebase?

We can’t & won’t, this is guaranteed by read-only access.

Review

“Aikido makes your security one of your USPs thanks to their integrated automated reporting solution, which helps for ISO & SOC2 certification”

Fabrice G

Managing director at Kadonation

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required |Scan results in 32secs.