← 返回
未分类 中文

Dependency License Audit

Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U...
扫描项目依赖项,检测许可证兼容性、GPL污染和合规违规。支持 npm、pip、Go、Rust 和 Ruby 生态系统。U...
charlie-morrison charlie-morrison 来源
未分类 clawhub v1.0.1 1 版本 100000 Key: 无需
★ 0
Stars
📥 398
下载
💾 1
安装
1
版本
#latest

概述

Dependency License Audit

Scan project dependencies for license compatibility issues across multiple ecosystems.

Quick Start

# Basic scan (permissive policy)
python3 scripts/license_audit.py /path/to/project

# Strict enterprise scan with CI exit codes
python3 scripts/license_audit.py /path/to/project --policy permissive --ci --format markdown

# Allow weak copyleft (LGPL, MPL)
python3 scripts/license_audit.py /path/to/project --policy weak-copyleft

# Include transitive deps (npm)
python3 scripts/license_audit.py /path/to/project --include-transitive

# JSON output for tooling
python3 scripts/license_audit.py /path/to/project --format json

Supported Ecosystems

EcosystemFiles ParsedLicense Source
----------------------------------------
npmpackage.json, package-lock.json, node_modules/*/package.jsonPackage metadata
piprequirements.txt, Pipfile, pyproject.tomlInstalled package metadata
Gogo.modManual/UNKNOWN (no local metadata)
RustCargo.tomlManual/UNKNOWN (no local metadata)
RubyGemfileManual/UNKNOWN (no local metadata)

npm and pip auto-detect licenses from installed packages. Go/Rust/Ruby report UNKNOWN unless packages are installed — review manually.

Policies

PolicyAllowsUse When
--------------------------
permissive (default)MIT, Apache-2.0, BSD, ISC, etc.Proprietary/commercial projects
weak-copyleft+ LGPL, MPL, EPLLibrary consumers (dynamic linking)
any-openAll OSI-approvedOpen-source projects
customUser-definedEnterprise with specific requirements

For custom policy setup, see references/custom-policy.md.

Output Formats

  • text — Human-readable terminal output (default)
  • json — Machine-readable for CI pipelines and tooling
  • markdown — Report with tables, suitable for PRs or documentation

CI Exit Codes

With --ci flag:

  • 0 — No issues
  • 1 — Warnings only (unknown licenses)
  • 2 — Policy violations found

License Classifications

The scanner classifies licenses into categories:

  • permissive — MIT, Apache-2.0, BSD, ISC, Unlicense, CC0, etc.
  • weak-copyleft — LGPL, MPL, EPL, CDDL (modifications must be shared, but linking is OK)
  • strong-copyleft — GPL, AGPL, SSPL (derivative works inherit the license)
  • proprietary — UNLICENSED or commercial indicators
  • unknown — Not recognized; manual review needed

SPDX expressions (MIT OR Apache-2.0, MIT AND BSD-3-Clause) are evaluated: OR picks most permissive, AND picks most restrictive.

Workflow

  1. Run audit against project directory
  2. Review violations and warnings in output
  3. For each violation, follow the recommendations provided
  4. Optionally create .license-policy.json for custom rules
  5. Add --ci flag to CI pipeline for automated enforcement

版本历史

共 1 个版本

  • v1.0.1 当前
    2026-05-07 05:26 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 688 📥 331,700
dev-programming

YouTube

byungkyu
使用托管OAuth集成YouTube Data API,支持搜索视频、管理播放列表、获取频道数据及评论互动,适用于用户需要时使用此技能。
★ 142 📥 42,207
it-ops-security

Vulnerability Prioritizer

charlie-morrison
在CVSS评分之外,利用EPSS、CISA KEV、资产关键性、可达性分析以及利用成熟度进行漏洞优先级排序
★ 1 📥 564