FINS icon

FINS

kotlinlicensingsbomsupply-chaincli

FINS (FOSS Inspection & Notice Scanner) audits the open-source licences your dependencies drag in. For each one it reads the declared licence, checks it against a policy you define (allow, review, or deny), and compares that declared licence against the one the package actually ships in its LICENSE file. When those two disagree, or when neither exists, it says so and marks the dependency for review instead of guessing.

It handles 11 ecosystems: npm, PyPI, Maven, Composer, pub for Dart and Flutter, NuGet, Go modules, cargo, Conan and vcpkg for C/C++, and Hex for Elixir and Erlang. It also reads and writes CycloneDX and SPDX SBOMs, so it fits inside a supply-chain workflow rather than sitting next to one.

The engine is a Kotlin/JVM library called core. On top of it sit a command-line tool (cli, also shipped as a GraalVM native binary, a container image, and a GitLab CI/CD component) and a Compose desktop app. The core is written reflection-free and exception-driven: errors surface as typed domain exceptions rather than sentinel values or nulls.

Releases come from GPG-signed tags, each shipping an SBOM and cosign signatures, and FINS audits its own dependencies in CI.