license-audit 0.2.0

Analyze dependency licenses and get actionable licensing guidance for Python projects

license-audit

Analyze dependency licenses and get actionable licensing guidance for Python projects.

license-audit goes beyond listing dependency licenses. It tells you what license your project can use, flags incompatible combinations, and generates compliance documents suitable for CI gating.

Features

• License detection from PEP 639 metadata, trove classifiers, and user overrides across the full transitive dependency tree.
• Compatibility analysis using the OSADL compatibility matrix (covers ~120 well-known licenses).
• Outbound license recommendations ranked by permissiveness.
• Compliance reports in Markdown, JSON, or third-party-notices form.
• CI-ready with distinct exit codes for policy violations and undetected licenses.
• First-class support for uv, pyproject.toml, and PEP 639.

Installation

pip install license-audit

Or with uv:

uv add license-audit --dev

Quickstart

Run against the current project directory:

license-audit --target . analyze

──────────────────── License Analysis: my-project ────────────────────

                        Dependency Licenses
┏━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┓
┃ Package  ┃ Version ┃ License      ┃ Category   ┃ Source ┃ Parent   ┃
┡━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━┩
│ click    │ 8.1.7   │ BSD-3-Clause │ permissive │ pep639 │ (direct) │
│ pydantic │ 2.9.2   │ MIT          │ permissive │ pep639 │ (direct) │
│ rich     │ 13.9.4  │ MIT          │ permissive │ pep639 │ (direct) │
└──────────┴─────────┴──────────────┴────────────┴────────┴──────────┘

Recommended Outbound Licenses (most -> least permissive):
  -> MIT
     BSD-3-Clause
     Apache-2.0
     ...

──────────────────────────── Summary ────────────────────────────
  Total dependencies: 3
  Policy check:       PASSED

CI quickstart

Add to your pipeline to gate on license policy:

jobs:
  license-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v5
      - run: uv sync --locked
      - run: uv run license-audit check

Exit codes:

Code	Meaning
0	All dependencies pass the policy
1	Policy violation (incompatible pairs or denied licenses)
2	Unknown licenses detected (when fail-on-unknown = true)

For GitLab CI, pre-commit hooks, handling unknowns, and the "adding a new dependency" workflow, see the CI integration guide.

Configuration

[tool.license-audit]
fail-on-unknown = true
policy = "permissive"  # permissive | weak-copyleft | strong-copyleft | network-copyleft
allowed-licenses = ["MIT", "Apache-2.0", "BSD-3-Clause"]
denied-licenses = ["GPL-3.0-only"]

[tool.license-audit.overrides]
some-internal-package = "MIT"
dual-licensed-pkg = "Apache-2.0 OR MIT"

Full configuration reference: user guide -> configuration.

Documentation

Full documentation lives at https://dgeragh.github.io/license-audit:

• Configuration reference - all options, target resolution, dependency group selectors.
• CI integration guide - GitHub Actions, GitLab, pre-commit, new-dependency workflow.
• How it works - the detection and analysis pipeline.
• Comparison with other tools - ScanCode, pip-licenses, liccheck.
• Limitations - what the tool does and doesn't cover.

License

MIT - see LICENSE.

This project bundles data from the OSADL Open Source License Obligations Checklists project, licensed under CC-BY-4.0. See THIRD_PARTY_NOTICES.md for full attribution.