Licenses are like legal gremlins. Feed them after midnight, and you might end up with a monster on your hands. So, let’s tame them together before they become a problem.

As a SaaS founder, you might already know that investors scrutinise software licenses during due diligence. They don't just do it to check boxes—certain licenses can actually force you to open-source your code, putting your entire business value at risk. Heard about the recent Wordpress drama? Nobody wants that kind of surprise.

Diving into licenses and SBOMs might feel daunting and deeply technical, but it’s crucial to understand the potential implications and how you can mitigate these risks. For more on how to prepare for investor scrutiny, check out our guide on how to prepare your startup for your next due diligence

Why licensing matters in due diligence

Imagine you’re gearing up to sell your company or bring in a big round of funding. The champagne is on ice, and you’re ready to pop the cork. Then, an investor drops the bomb: "We’ve found a little licensing issue that might require you to open-source your entire codebase." Oof, talk about a party killer. 

Investors and potential buyers look at licensing as part of their audit process because it helps them identify any red flags that might affect your company’s valuation or scalability. Software licenses, particularly those associated with open-source components, can sometimes include terms that require your codebase to be open-sourced under specific conditions—a nightmare for anyone trying to keep their intellectual property proprietary.

By scanning your software's licenses proactively, you can ensure that no unwanted open-source clauses are lurking in your dependencies. This kind of preparation is crucial, especially as Software Bill of Materials (SBOM) requests become more common during audits.

What is an SBO, and why should you care?

An SBOM is like the ingredient list on the back of a cereal box, except instead of "sugar" and "oats," it lists things like "lodash v4.17.21" and "react v18.0.0."A Software Bill of Materials (SBOM) is essentially a detailed list of all the components, libraries, and dependencies used in your software. And just like food labels help people with allergies, SBOMs help investors and regulators understand what’s inside your software.

The importance of SBOMs has grown significantly, particularly due to regulatory developments. Since 2021, the U.S. Executive Order on Improving the Nation’s Cybersecurity has required any software supplied to the federal government to include an SBOM. No SBOM? No federal contracts. Similar regulations are being developed in the EU, such as the upcoming Cyber Resilience Act (CRA), which will mandate SBOMs for software products. This means the ability to produce an SBOM could soon be a legal necessity if you want to sell in these markets. So, unless your SaaS targets an audience that exists exclusively on Mars, SBOMs are something to care about.

How to create an SBOM and scan for license issues

The good news? You don’t need to do all of this manually—there are tools out there to save you from SBOM-induced nightmares. Let’s take a look at some options:

  • GitHub: If you're already using GitHub, it has built-in tools to export an SBOM for your repository, making it easy to understand your supply chain. You can learn more about it here.
  • Anchore Syft: This open-source tool can generate an SBOM for your projects, and it won’t cost you a dime (other than maybe some grey hairs).
  • Aikido: If you want something a bit fancier, Aikido offers a more feature-rich, commercial solution. It helps you get a comprehensive overview of the licenses you're using, adjust license risks, filter internal licenses, and generate an SBOM—all while giving you that "I’ve got everything under control" feeling. Check it out here.

Proactive strategies to stay compliant

Don’t wait until an investor asks you to pull out an SBOM or gets stuck on some weird open-source clause—get ahead of the game. Here’s how:

  • Integrate compliance tools: Ask your dev team to include tools like Anchore Syft or the GitHub SBOM generator early in the development process. It will really save you time in the long run.
  • Allowlist licenses: Set rules to allow only specific licenses to be used in your project. This ensures that potentially problematic open-source licenses don’t sneak their way into your product.
  • Use dedicated license checkers: For PHP projects, you could use tools like our own License Checker PHP. Shameless plug? Maybe. But hey, it’s free and designed to help teams stay compliant easily, and who doesn’t love easy?

Our knowledgebase & CTO coaching

If you or your CTO is struggling with managing these complexities, you're not alone. Licensing, SBOMs, and compliance are challenging topics that require both technical know-how and strategic thinking. If you're unsure where to start or want to discuss how to implement these measures effectively, please reach out. We're here to help founders and CTOs like you navigate these complexities without losing focus on building great software.

Our blog is filled with resources and guides for founders and technical leaders on creating effective SaaS teams, offering valuable insights into building a strong, distributed workforce while tackling all the challenges of running a SaaS business.

But sometimes, you can't figure it out by yourself. Then, it helps to have a trusted advisor to guide you through the process and help you keep the overview. Our CTO Soundboard offers coaching and support for CTOs and technical leaders who need a sounding board for tackling issues like these. We’re here to help your technical leadership grow stronger and more confident, ensuring your company’s success. And this can be done completely behind the scenes, too, if you want.

Be prepared for due diligence and future regulations

Preparing an SBOM and managing your software licenses proactively not only reduces risk during due diligence but also helps you comply with emerging regulations. It’s about building a resilient foundation so that when investors look closely, your software holds no surprises—just good, solid code that screams, "Invest in me!"

Plus, if you have a proactive approach, your investors will see that you’re not just building cool software, you’re building a well-thought-out, scalable business. That’s the kind of story they want to hear.