diff --git a/.devcontainer/ubuntu-22.04/devcontainer.json b/.devcontainer/ubuntu-22.04/devcontainer.json
index af00d5b0..b577853d 100644
--- a/.devcontainer/ubuntu-22.04/devcontainer.json
+++ b/.devcontainer/ubuntu-22.04/devcontainer.json
@@ -1,7 +1,7 @@
 {
     "name": "Ubuntu-23.04",
     "build": { "dockerfile": "Dockerfile" },
-  
+
     "customizations": {
       "vscode": {
         "extensions": [
diff --git a/.github/markdownlint.jsonc b/.github/markdownlint.jsonc
index 20417d20..a6fe1d1e 100644
--- a/.github/markdownlint.jsonc
+++ b/.github/markdownlint.jsonc
@@ -8,4 +8,4 @@
   "MD025": false,
   "MD034": false,
   "MD041": false
-}
\ No newline at end of file
+}
diff --git a/.github/workflows/check-copyright.yml b/.github/workflows/check-copyright.yml
new file mode 100644
index 00000000..530e0218
--- /dev/null
+++ b/.github/workflows/check-copyright.yml
@@ -0,0 +1,36 @@
+name: check copyright
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/check-copyright.yml'
+      - '.pre-commit-config.yaml'
+      - 'scripts/check_copyright_notice.py'
+      - '**/*.go'
+      - '!**/docs/**/*'
+      - '!**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  copyright:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout devtools
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check copyright notice
+        run: |
+          pip install \
+            pre-commit \
+            comment-parser>=1.2.3
+          pre-commit run --all-files
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2d7c4966..c5bc2dff 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,7 +2,7 @@ name: Test
 
 on:
   workflow_dispatch:
-  push: 
+  push:
     branches: [main]
   pull_request:
     paths:
@@ -165,7 +165,7 @@ jobs:
         if: always()
         run: |
           go-junit-report -set-exit-code -in build/cpackgettests-${{ matrix.goos }}-amd64.txt -iocopy -out build/cpackget-testreport-${{ matrix.goos }}-amd64.xml
- 
+
       - name: Publish coverage report to Code Climate
         if: ${{ startsWith(matrix.runs-on, 'ubuntu') && (github.workflow != 'Release') }}
         uses: paambaati/codeclimate-action@f429536ee076d758a24705203199548125a28ca7 # v9.0.0
@@ -191,10 +191,10 @@ jobs:
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
-  
+
       - name: Check out repository code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-  
+
       - name: Install linux deps
         run: |
           sudo apt-get update
@@ -227,7 +227,7 @@ jobs:
         if: always()
         run: |
           go-junit-report -set-exit-code -in build/cpackgettests-linux-arm64.txt -iocopy -out build/cpackget-testreport-linux-arm64.xml
-  
+
       - name: Archive unit test results
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
diff --git a/.github/workflows/tpip-check.yml b/.github/workflows/tpip-check.yml
index 5ef9dc31..6f9afd9d 100644
--- a/.github/workflows/tpip-check.yml
+++ b/.github/workflows/tpip-check.yml
@@ -46,7 +46,7 @@ jobs:
         run:  |
           go-licenses report . --ignore github.com/Open-CMSIS-Pack/cpackget --template ../scripts/template/tpip-license.template > ../${{ env.report_name }}
         working-directory: ./cmd
-        
+
       - name: Archive tpip report
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -97,4 +97,3 @@ jobs:
           delete-branch: true
           labels: TPIP
           reviewers: soumeh01
-      
\ No newline at end of file
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..5faf9076
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,19 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+    - id: end-of-file-fixer
+      name: Fix end of files
+      description: Ensures files end with a newline
+    - id: trailing-whitespace
+      name: Check for trailing whitespace
+      description: Fails and fix files with trailing whitespace
+
+- repo: local
+  hooks:
+    - id: check-copyright-notice
+      name: Check for copyright notice
+      description: Ensures source files include a copyright notice
+      entry: python3 scripts/check_copyright_notice.py
+      language: system
+      types: [go]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b4f7d5ad..0187b951 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ Bug fixes:
 - If PDSC file is no longer listed in index.pidx, it shall be removed from .Web folder
 - touch pack.idx after init command
 - refined --skip-touch option
-  
+
 New features:
 
 - update-index: added option "-a" to download all missing PDSC files that are listed in index.pidx
@@ -32,7 +32,7 @@ Bug fixes:
 - cpackget add -f packlist.txt throws an error when the file is empty
 - Installing a local pack that does not exist triggers error message twice
 - add -f packs.txt: does not check if the required/dependent pack is installed already
-  
+
 New features:
 
 - added --skip-touch flag to not touch pack.idx
diff --git a/SECURITY.md b/SECURITY.md
index e5e7f985..59cffa6d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,3 +1,3 @@
-# Security  
+# Security
 
 For reporting security issues, please follow the official guidelines outlined in [SECURITY.md](https://github.com/Open-CMSIS-Pack/cmsis-toolbox/blob/main/SECURITY.md).
diff --git a/cmd/cryptography/checksum.go b/cmd/cryptography/checksum.go
index 98627b52..9d280851 100755
--- a/cmd/cryptography/checksum.go
+++ b/cmd/cryptography/checksum.go
@@ -1,3 +1,6 @@
+/* SPDX-License-Identifier: Apache-2.0 */
+/* Copyright Contributors to the cpackget project. */
+
 package cryptography
 
 import (
diff --git a/cmd/cryptography/signature.go b/cmd/cryptography/signature.go
index 61e85865..e6c71530 100644
--- a/cmd/cryptography/signature.go
+++ b/cmd/cryptography/signature.go
@@ -1,3 +1,6 @@
+/* SPDX-License-Identifier: Apache-2.0 */
+/* Copyright Contributors to the cpackget project. */
+
 package cryptography
 
 import (
diff --git a/cmd/cryptography/utils.go b/cmd/cryptography/utils.go
index 20993176..75ece7c2 100644
--- a/cmd/cryptography/utils.go
+++ b/cmd/cryptography/utils.go
@@ -1,3 +1,6 @@
+/* SPDX-License-Identifier: Apache-2.0 */
+/* Copyright Contributors to the cpackget project. */
+
 package cryptography
 
 import (
diff --git a/scripts/check_copyright_notice.py b/scripts/check_copyright_notice.py
new file mode 100644
index 00000000..febd79e4
--- /dev/null
+++ b/scripts/check_copyright_notice.py
@@ -0,0 +1,83 @@
+# -------------------------------------------------------
+# SPDX-License-Identifier: Apache-2.0
+# Copyright Contributors to the cpackget project.
+# -------------------------------------------------------
+
+"""
+Checks the presence of copyright notice in the files
+"""
+
+from typing import Optional, Sequence
+import argparse
+import os
+import sys
+import magic
+from comment_parser import comment_parser
+
+COPYRIGHT_TEXT = "Copyright Contributors to the cpackget project."
+LICENSE_TEXT = "SPDX-License-Identifier: Apache-2.0"
+
+def check_file(filename: str) -> int:
+    """
+    Checks a file for the presence of fixed copyright and license notices.
+    Args:
+        filename: The name of the file to check.
+    Returns:
+        0 if both copyright and license are found, 1 otherwise.
+    """
+    if os.path.getsize(filename) == 0:
+        return 0
+
+    try:
+        mime_type = magic.from_file(filename, mime=True)
+    except Exception as e:
+        print(f"# Error reading MIME type of {filename}: {e}")
+        return 1
+
+    if mime_type == "text/plain":
+        mime_type = "text/x-c++"
+
+    try:
+        comments = "\n".join(comment.text() for comment in comment_parser.extract_comments(filename, mime=mime_type))
+    except Exception as e:
+        print(f"# Failed to parse comments in {filename}: {e}")
+        return 1
+
+    copyright_found = COPYRIGHT_TEXT in comments
+    license_found = LICENSE_TEXT in comments
+
+    if copyright_found and license_found:
+        return 0
+
+    print(f"# Copyright check error(s) in: {filename}")
+    if not copyright_found:
+        print(f"\t# Missing or invalid copyright. Expected: {COPYRIGHT_TEXT}")
+    if not license_found:
+        print(f"\t# Missing or invalid license. Expected: {LICENSE_TEXT}")
+    return 1
+
+def main(argv: Optional[Sequence[str]] = None) -> int:
+    """
+    Entry point to check for copyright notices in the provided files.
+    Args:
+        argv: A list of filenames.
+    Returns:
+        Non-zero if any file is missing the required notice.
+    """
+    parser = argparse.ArgumentParser(description="Check for fixed copyright and license headers.")
+    parser.add_argument('filenames', nargs='*', help='Files to check.')
+    args = parser.parse_args(argv)
+
+    print("Checking copyright headers...")
+    ret = 0
+
+    for filename in args.filenames:
+        ret |= check_file(filename)
+
+    if ret != 0:
+        print(">> error: One or more files are missing a valid copyright or license header")
+
+    return ret
+
+if __name__ == '__main__':
+    sys.exit(main())
diff --git a/scripts/template/tpip-license.template b/scripts/template/tpip-license.template
index d8c59292..0a464c75 100644
--- a/scripts/template/tpip-license.template
+++ b/scripts/template/tpip-license.template
@@ -6,4 +6,4 @@
 | {{ .Name }} | {{ .Version }}  | [{{ .LicenseName }}]({{ .LicenseURL }}) |
 {{- end }}
 
-Report generated and repository checked for [forbidden](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L323) and [restricted](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L176) licenses.
\ No newline at end of file
+Report generated and repository checked for [forbidden](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L323) and [restricted](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L176) licenses.
diff --git a/scripts/test-public-index b/scripts/test-public-index
index 79cf5ea7..c73f065b 100755
--- a/scripts/test-public-index
+++ b/scripts/test-public-index
@@ -1,5 +1,5 @@
 #!/bin/bash
-	
+
 echo "Attempting to install all publicly available packs found in www.keil.com/pack/keil.vidx"
 echo "Warning: this should only be used from time to time (possibly before releases) because it'll download dozens of GB of files"
 
diff --git a/testdata/NewTimestamp.pidx b/testdata/NewTimestamp.pidx
index e58a5217..d4e9995c 100644
--- a/testdata/NewTimestamp.pidx
+++ b/testdata/NewTimestamp.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>Keil</vendor>
 <url>https://www.keil.com/pack/</url>
diff --git a/testdata/OldTimestamp.pidx b/testdata/OldTimestamp.pidx
index d6c938b3..db02c6e5 100644
--- a/testdata/OldTimestamp.pidx
+++ b/testdata/OldTimestamp.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>Keil</vendor>
 <url>https://www.keil.com/pack/</url>
diff --git a/testdata/PackIndex.xsd b/testdata/PackIndex.xsd
index c7206449..b58af31b 100644
--- a/testdata/PackIndex.xsd
+++ b/testdata/PackIndex.xsd
@@ -1,22 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
- 
+<!--
+
   Copyright (c) 2013-2017 ARM Limited. All rights reserved.
- 
+
   SPDX-License-Identifier: Apache-2.0
- 
+
   Licensed under the Apache License, Version 2.0 (the License); you may
   not use this file except in compliance with the License.
   You may obtain a copy of the License at
- 
+
   http://www.apache.org/licenses/LICENSE-2.0
- 
+
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an AS IS BASIS, WITHOUT
   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
- 
+
   $Date:        23. Januar 2017
   $Revision:    1.1.0
 
@@ -29,7 +29,7 @@
 
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="qualified" version="1.1.0">
 
-  <!-- semantic versioning (semver.org) <major>.<minor>.<patch>-<quality> --> 
+  <!-- semantic versioning (semver.org) <major>.<minor>.<patch>-<quality> -->
   <xs:simpleType name="SemanticVersionType">
     <xs:restriction  base="xs:string">
       <!--               <major>         . <minor>        . <patch>        - <quality>                                                                                       + <build meta info>               -->
diff --git a/testdata/integration/EmptyPublicIndex.pidx b/testdata/integration/EmptyPublicIndex.pidx
index eb033a43..002ec8aa 100644
--- a/testdata/integration/EmptyPublicIndex.pidx
+++ b/testdata/integration/EmptyPublicIndex.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>TheVendor</vendor>
 <url>http://the.vendor/</url>
diff --git a/testdata/integration/SamplePublicIndex.pidx b/testdata/integration/SamplePublicIndex.pidx
index 3c1d827a..d7428ea4 100644
--- a/testdata/integration/SamplePublicIndex.pidx
+++ b/testdata/integration/SamplePublicIndex.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>TheVendor</vendor>
 <url>http://the.vendor/</url>
diff --git a/testdata/integration/concurrent/SamplePublicIndex.pidx b/testdata/integration/concurrent/SamplePublicIndex.pidx
index c0f28fdd..bafc62c8 100644
--- a/testdata/integration/concurrent/SamplePublicIndex.pidx
+++ b/testdata/integration/concurrent/SamplePublicIndex.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>TheVendor</vendor>
 <url>http://the.vendor/</url>
diff --git a/testdata/integration/public_index/index.pidx b/testdata/integration/public_index/index.pidx
index dffe7f34..76b1ab48 100644
--- a/testdata/integration/public_index/index.pidx
+++ b/testdata/integration/public_index/index.pidx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?> 
+<?xml version="1.0" encoding="UTF-8" ?>
 <index schemaVersion="1.1.0" xs:noNamespaceSchemaLocation="PackIndex.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">
 <vendor>Keil</vendor>
 <url></url>
diff --git a/testdata/utils/test-listfile b/testdata/utils/test-listfile
index 6072519b..05164e3f 100644
--- a/testdata/utils/test-listfile
+++ b/testdata/utils/test-listfile
@@ -1,2 +1,2 @@
 pack1
-pack2
\ No newline at end of file
+pack2
diff --git a/third_party_licenses.md b/third_party_licenses.md
index 8ae60a25..27828b8d 100644
--- a/third_party_licenses.md
+++ b/third_party_licenses.md
@@ -39,4 +39,4 @@
 | golang.org/x/text | v0.25.0  | [BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.25.0:LICENSE) |
 | gopkg.in/yaml.v3 | v3.0.1  | [MIT](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE) |
 
-Report generated and repository checked for [forbidden](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L323) and [restricted](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L176) licenses.
\ No newline at end of file
+Report generated and repository checked for [forbidden](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L323) and [restricted](https://github.com/google/licenseclassifier/blob/842c0d70d7027215932deb13801890992c9ba364/license_type.go#L176) licenses.