22 releases (11 breaking)
new 0.23.0 | Dec 6, 2024 |
---|---|
0.22.0 | Jun 1, 2024 |
0.21.0 | May 23, 2023 |
0.20.0 | Mar 30, 2023 |
0.0.3 | Dec 30, 2021 |
#545 in Command line utilities
1,550 downloads per month
2MB
2K
SLoC
Licensebat CLI
A tool to help you verify that your dependencies comply with your license policies.
Check the docs for more information.
What is Licensebat?
Licensebat
is a CLI that you can use for free to verify that the dependencies of your project follow your license policies.
Let's say, for instance, that you are building a proprietary application. In that case, you may consider avoiding the use of some software with a restrictive license like GPL
.
By using Licensebat
, you can check you don't have any dependency with such a restrictive license. Normally, it will look in all the the dependency tree of your project, so transient dependencies will also be considered.
Feel free to use the CLI
in your CI/CD pipeline, or in your continuous integration server.
Important:
licensebat-cli
is still in development so you may use it at your own risk.
Licensebat GitHub App
Aside from the CLI
, Licensebat
can be used directly in your GitHub repositories by installing this GitHub App.
Supported languages
How to use it
Just run this:
licensebat --dependency-file ./Cargo.lock
That will set all in motion. Take into account that you'll need to have access to the internet for the cli to work properly.
You can have more information about the CLI
by running licensebat --help
.
USAGE:
licensebat [OPTIONS] --dependency-file <dependency-file>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-d, --dependency-file <dependency-file> Path to the file containing the dependencies of the project. i.e.
package-lock.json for npm projects, yarn.lock for yarn projects, etc
-l, --licrc-file <licrc-file> Path to the .licrc file [default: .licrc]
The .licrc file
But before running, you have to be sure you have a .licrc
file available in your project.
You can get a copy from this gist. It's a TOML
file with configuration about which are the accepted or denied licenses, ignored dependencies or whether to block or not the PR (exit code == 1) in case it finds invalid dependencies.
[licenses]
# This indicates which are the only licenses that Licensebat will accept.
# The rest will be flagged as not allowed.
accepted = ["MIT", "MSC", "BSD"]
# This will indicate which licenses are not accepted.
# The rest will be accepted, except for the unknown licenses or dependencies without licenses.
# unaccepted = ["LGPL"]
# Note that only one of the previous options can be enabled at once.
# If both of them are informed, only accepted will be considered.
[dependencies]
# This will allow users to flag some dependencies so that Licensebat will not check for their license.
ignored=["ignored_dep1", "ignored_dep2"]
# False by default, if true it will mark all dev dependencies as ignored.
# Bear in mind that this is only supported by some of the collectors.
ignore_dev_dependencies = false
# False by default, if true it will mark all optional dependencies as ignored.
# Bear in mind that this is only supported by some of the collectors.
ignore_optional_dependencies = false
[behavior]
# False by default (always exit code == 0), if true, it will exit with code 1 in case some invalid dependency is found.
do_not_block_pr = false
# False by default, if true it will do not show the ignored dependencies in the final report.
do_not_show_ignored_dependencies = false
# False by default, if true it will do not show the dev dependencies in the final report.
# Bear in mind that this is only supported by some of the collectors.
do_not_show_dev_dependencies = false
# False by default, if true it will do not show the optional dependencies in the final report.
# Bear in mind that this is only supported by some of the collectors.
do_not_show_optional_dependencies = false
# This will define the size of the buffer used to retrieve the dependencies.
# It's set to 100 by default.
# If you have a lot of dependencies, you might want to increase this value, but be careful, if the size is too big, the API might return an error.
retriever_buffer_size = 100
Logs
Licensebat
uses tracing
. You can get logs while running the CLI
by setting the RUST_LOG
environment variable.
RUST_LOG=licensebat=info cargo run --dependency-file ./Cargo.lock
Dependencies
~20–35MB
~542K SLoC