Scan dependencies across any language for license compliance — free, fast, and CI-ready.
license-patrol discovers dependencies across Python, JavaScript, Go, Rust, PHP, and C# projects, resolves their licenses from package registries, and evaluates them against a configurable allow/deny/review policy. It produces reports in multiple formats for compliance documentation including SPDX 2.3 and CycloneDX 1.5 SBOMs.
- CISA's 2025 SBOM minimum elements require license as a mandatory field
- PCI DSS 4.0 controls 6.3.2 and 11.3.1.1 mandate production SBOM management
- Commercial tools (FOSSA, Snyk) cost thousands per year
- No free, language-agnostic CLI existed that scans dependencies across multiple ecosystems
pip install license-patrolOr with uv:
uv tool install license-patrol# Auto-detect ecosystems and scan current directory
license-patrol scan
# Scan with a built-in strict policy
license-patrol scan --policy strict
# Scan specific ecosystems only
license-patrol scan --ecosystems py,npm
# Generate an SPDX SBOM
license-patrol report --format spdx --output sbom.spdx
# Generate a CycloneDX BOM
license-patrol report --format cyclonedx --output bom.json
# Create a config template
license-patrol initRun license-patrol init to generate a .license-patrol.toml config file:
[policy]
allow = [
"MIT",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
]
deny = [
"GPL-3.0-only",
"AGPL-3.0-only",
]
review = [
"LGPL-*",
"MPL-2.0",
]
[overrides]
# Override license for packages with missing or incorrect metadata
# "some-package" = "MIT"- allow: Dependencies with these licenses pass the scan
- deny: Dependencies with these licenses fail the scan (exit code 1)
- review: Dependencies flagged for manual review
- Wildcards: Use
*patterns likeBSD-*orGPL-*to match license families - Priority: deny > review > allow > unknown
--policy strict— Only permissive licenses allowed; all copyleft denied--policy permissive— Most OSS licenses allowed; only AGPL/SSPL denied
| Ecosystem | Files Parsed |
|---|---|
| Python | requirements.txt, Pipfile.lock, poetry.lock |
| JavaScript | package.json, package-lock.json |
| Go | go.mod, go.sum |
| Rust | Cargo.toml, Cargo.lock |
| PHP | composer.json, composer.lock |
| C# / NuGet | *.csproj, packages.lock.json |
| Format | Flag | Description |
|---|---|---|
| Table | --format table |
Rich terminal table (default) |
| JSON | --format json |
Machine-readable JSON |
| CSV | --format csv |
Spreadsheet-compatible CSV |
| SPDX | --format spdx |
SPDX 2.3 tag-value SBOM |
| CycloneDX | --format cyclonedx |
CycloneDX 1.5 JSON BOM |
license-patrol exits with code 1 if any dependency has a denied license, making it ideal for CI pipelines.
- name: License check
run: pip install license-patrol && license-patrol scan --policy strictOr use the dedicated CI workflow — see .github/workflows/ci.yml in this repo.
license-patrol scan [PATH] [OPTIONS]
--ecosystems, -e Comma-separated ecosystems: py,npm,go,rust,php,nuget
--policy, -p Built-in policy: strict, permissive
--format, -f Output format: table, json, csv, spdx, cyclonedx
--output, -o Write output to file
--skip-resolve Skip online license resolution
license-patrol report [PATH] [OPTIONS]
--format, -f Report format: spdx, cyclonedx, json, csv
--output, -o Write report to file
--ecosystems, -e Comma-separated ecosystems
--policy, -p Built-in policy name
--skip-resolve Skip online license resolution
license-patrol init [PATH]
Generate a .license-patrol.toml configuration template
license-patrol version
Show the version
license-patrol --version, -V
Show the version
- Clone the repository
- Install dev dependencies:
uv sync - Run tests:
uv run pytest - Run linter:
uv run ruff check . - Run formatter:
uv run ruff format .
MIT — see LICENSE for details.