Metadata-Version: 2.4
Name: license-audit
Version: 0.3.0
Summary: Analyze dependency licenses and get actionable licensing guidance for Python projects
Project-URL: Homepage, https://github.com/dgeragh/license-audit
Project-URL: Repository, https://github.com/dgeragh/license-audit
Project-URL: Documentation, https://dgeragh.github.io/license-audit
Project-URL: Issues, https://github.com/dgeragh/license-audit/issues
Project-URL: Changelog, https://github.com/dgeragh/license-audit/blob/main/docs/CHANGELOG.md
Author: Devin Geraghty
License-Expression: MIT
License-File: LICENSE
Keywords: compliance,dependencies,license,oss,spdx
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Software Development :: Libraries
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: click>=8.1.0
Requires-Dist: license-expression>=30.0.0
Requires-Dist: packaging>=23.0
Requires-Dist: platformdirs>=3.0.0
Requires-Dist: pydantic>=2.5.0
Requires-Dist: rich>=13.0.0
Description-Content-Type: text/markdown

# license-audit

**Analyze dependency licenses and get actionable licensing guidance for Python projects.**

license-audit goes beyond listing dependency licenses. It tells you what license your project can use, flags incompatible combinations, and generates compliance documents suitable for CI gating.

## Features

- **License detection** from PEP 639 metadata, trove classifiers, and user overrides across the full transitive dependency tree.
- **Compatibility analysis** using the [OSADL compatibility matrix](https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html) (covers ~120 well-known licenses).
- **Outbound license recommendations** ranked by permissiveness.
- **Compliance reports** in Markdown, JSON, or third-party-notices form.
- **CI-ready** with distinct exit codes for policy violations and undetected licenses.
- **First-class support** for uv, `pyproject.toml`, and PEP 639.

## Installation

```bash
pip install license-audit
```

Or with [uv](https://docs.astral.sh/uv/):

```bash
uv add license-audit --dev
```

## Quickstart

Run against the current project directory:

```bash
license-audit --target . analyze
```

```
──────────────────── License Analysis: my-project ────────────────────

                        Dependency Licenses
┏━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┓
┃ Package  ┃ Version ┃ License      ┃ Category   ┃ Source ┃ Parent   ┃
┡━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━┩
│ click    │ 8.1.7   │ BSD-3-Clause │ permissive │ pep639 │ (direct) │
│ pydantic │ 2.9.2   │ MIT          │ permissive │ pep639 │ (direct) │
│ rich     │ 13.9.4  │ MIT          │ permissive │ pep639 │ (direct) │
└──────────┴─────────┴──────────────┴────────────┴────────┴──────────┘

Recommended Outbound Licenses (most -> least permissive):
  -> MIT
     BSD-3-Clause
     Apache-2.0
     ...

──────────────────────────── Summary ────────────────────────────
  Total dependencies: 3
  Policy check:       PASSED
```

## CI quickstart

Add to your pipeline to gate on license policy:

```yaml
jobs:
  license-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v5
      - run: uv sync --locked
      - run: uv run license-audit check
```

Exit codes:

| Code | Meaning |
|------|---------|
| `0` | All dependencies pass the policy |
| `1` | Policy violation (incompatible pairs or denied licenses) |
| `2` | Unknown licenses detected (when `fail-on-unknown = true`) |

For GitLab CI, pre-commit hooks, handling unknowns, and the "adding a new dependency" workflow, see the [CI integration guide](https://dgeragh.github.io/license-audit/user-guide/ci-integration/).

## Configuration

```toml
[tool.license-audit]
fail-on-unknown = true
policy = "permissive"  # permissive | weak-copyleft | strong-copyleft | network-copyleft
allowed-licenses = ["MIT", "Apache-2.0", "BSD-3-Clause"]
denied-licenses = ["GPL-3.0-only"]

[tool.license-audit.overrides]
some-internal-package = "MIT"
dual-licensed-pkg = "Apache-2.0 OR MIT"

[tool.license-audit.ignored-packages]
pandas-stubs = "Stubs only, not redistributed"
```

Full configuration reference: [user guide -> configuration](https://dgeragh.github.io/license-audit/user-guide/configuration/).

## Documentation

Full documentation lives at **https://dgeragh.github.io/license-audit**:

- [Configuration reference](https://dgeragh.github.io/license-audit/user-guide/configuration/) - all options, target resolution, dependency group selectors.
- [CI integration guide](https://dgeragh.github.io/license-audit/user-guide/ci-integration/) - GitHub Actions, GitLab, pre-commit, new-dependency workflow.
- [How it works](https://dgeragh.github.io/license-audit/reference/how-it-works/) - the detection and analysis pipeline.
- [Comparison with other tools](https://dgeragh.github.io/license-audit/reference/comparison/) - ScanCode, pip-licenses, liccheck.
- [Limitations](https://dgeragh.github.io/license-audit/reference/limitations/) - what the tool does and doesn't cover.

## License

MIT - see [LICENSE](https://github.com/dgeragh/license-audit/blob/main/LICENSE).

This project bundles data from the [OSADL Open Source License Obligations Checklists](https://www.osadl.org/Checklists) project, licensed under CC-BY-4.0. See [THIRD_PARTY_NOTICES.md](https://github.com/dgeragh/license-audit/blob/main/THIRD_PARTY_NOTICES.md) for full attribution.
