A fast and extensible license compliance scanner for project dependencies across multiple ecosystems.
- π Multi-Ecosystem Support: Analyze dependencies from:
- Go (go.mod)
- Node.js (package.json)
- Python (requirements.txt)
- PHP (composer.json)
- π Comprehensive Reporting: Generate reports in JSON and Markdown formats
- βοΈ Configurable Rules: Define incompatible and risky licenses via config file
- π CI/CD Friendly: Exit codes and strict mode for pipeline integration
- π Extensible Architecture: Easy to add support for new package managers
git clone https://github.com/BaseMax/go-license-audit.git
cd go-license-audit
go build -o go-license-audit .go install github.com/BaseMax/go-license-audit@latestAnalyze the current directory:
./go-license-auditAnalyze a specific project:
./go-license-audit -path /path/to/projectGenerate both JSON and Markdown reports (default):
./go-license-audit -format both -output ./reportsGenerate only JSON:
./go-license-audit -format json -output ./reportsGenerate only Markdown:
./go-license-audit -format markdown -output ./reportsUse strict mode to fail the build if incompatible or risky licenses are found:
./go-license-audit -strict -path . -format json -output ./reportsExit codes:
0: Success (no incompatible licenses or not in strict mode)1: Failure (incompatible/risky licenses found in strict mode, or error occurred)
Create a config.json file to customize license rules:
{
"incompatible_licenses": [
"GPL-2.0",
"GPL-3.0",
"AGPL-3.0"
],
"risky_licenses": [
"MPL-2.0",
"EPL-1.0",
"EPL-2.0"
],
"allowed_licenses": [
"MIT",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC"
]
}Use the config file:
./go-license-audit -config config.json| Option | Default | Description |
|---|---|---|
-path |
. |
Path to the project directory |
-config |
(none) | Path to configuration file (uses defaults if not specified) |
-format |
both |
Output format: json, markdown, or both |
-output |
. |
Output directory for reports |
-strict |
false |
Exit with error code if incompatible licenses found |
{
"project_path": "/path/to/project",
"dependencies": [
{
"name": "github.com/example/package",
"version": "v1.2.3",
"license": "MIT",
"license_type": "detected",
"ecosystem": "go",
"risk": "safe"
}
],
"incompatible_dependencies": [],
"risky_dependencies": [],
"timestamp": "2024-01-01T12:00:00Z"
}The Markdown report includes:
- Summary statistics
- Incompatible licenses table (β)
- Risky licenses table (
β οΈ ) - All dependencies with risk indicators
- License distribution chart
Parses go.mod files and detects licenses via deps.dev API.
Parses package.json including both dependencies and devDependencies. Detects licenses from npm registry.
Parses requirements.txt with support for various version specifiers (==, >=, ~=, etc.). Detects licenses from PyPI.
Parses composer.json including both require and require-dev sections. Detects licenses from Packagist.
The tool automatically detects licenses by querying public registries:
- npm: registry.npmjs.org
- PyPI: pypi.org
- Go: deps.dev API
- Packagist: repo.packagist.org
- GPL-2.0, GPL-3.0
- AGPL-3.0, AGPL-1.0
- LGPL-2.0, LGPL-2.1, LGPL-3.0
- SSPL
- Commons Clause
- MPL-2.0
- EPL-1.0, EPL-2.0
- CDDL-1.0
- CPL-1.0
- OSL-3.0
- MIT
- Apache-2.0
- BSD-2-Clause, BSD-3-Clause
- ISC
- 0BSD
- Unlicense
- CC0-1.0
Contributions are welcome! To add support for a new package manager:
- Implement the
Parserinterface inpkg/parser/parser.go - Add license detection logic in
pkg/license/detector.go - Register the parser in
GetParsers()function - Update documentation
This project is licensed under the MIT License - see the LICENSE file for details.
Max Base
- GitHub: @BaseMax
- Uses public package registries for license detection
- Built with extensibility and CI/CD integration in mind