How Stateward protects you against copyleft & source-available license risk
The threat
A single new dependency under GPL/AGPL or a source-available license (SSPL, BUSL, Elastic, Commons-Clause) can impose obligations on your whole product — a legal problem that surfaces at the worst possible time.
How Stateward catches it
Stateward flags copyleft and non-OSI source-available licenses introduced via an SPDX id, a manifest license field, or a LICENSE file — declaration-context gated so prose never false-fires, and word-boundary aware so LGPL ≠ GPL.
Recent advisories of this class
- mediumGHSA-HHPQ-7WG4-36JMCakePHP Authentication: Open redirect weakness via backslash bypass
- criticalGHSA-8FQ9-273G-6MRGAvo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- mediumGHSA-X2QC-CMH9-F4HFDeno: Denial of service via non-ASCII bytes in WebSocket response headers
- criticalGHSA-2F55-G35J-5JMFHAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.