Metadata-Version: 2.4
Name: license-audit
Version: 0.7.0
Summary: Analyze dependency licenses for Python projects, with compatibility checks and outbound license recommendations
Project-URL: Homepage, https://github.com/dgeragh/license-audit
Project-URL: Repository, https://github.com/dgeragh/license-audit
Project-URL: Documentation, https://dgeragh.github.io/license-audit
Project-URL: Issues, https://github.com/dgeragh/license-audit/issues
Project-URL: Changelog, https://github.com/dgeragh/license-audit/blob/main/docs/CHANGELOG.md
Author: Devin Geraghty
License-Expression: MIT
License-File: LICENSE
Keywords: compliance,dependencies,license,oss,spdx
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Software Development :: Libraries
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: click>=8.1.0
Requires-Dist: license-expression>=30.0.0
Requires-Dist: packaging>=23.0
Requires-Dist: pip>=23.0
Requires-Dist: platformdirs>=3.0.0
Requires-Dist: pydantic>=2.5.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0.0
Description-Content-Type: text/markdown

# license-audit

**Analyze dependency licenses for Python projects.**

license-audit tells you what license your project can use, flags incompatible combinations, and generates compliance documents suitable for CI gating.

## Features

- License detection across the full transitive tree, from PEP 639 metadata, the legacy `License` field, trove classifiers, and user overrides.
- Pairwise compatibility checking against the [OSADL compatibility matrix](https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html) (~120 licenses).
- Outbound license recommendations ranked by permissiveness.
- Compliance reports as Markdown, JSON, or third-party-notices.
- CI exit codes that distinguish policy violations from undetected licenses.
- Reads `uv.lock`, `poetry.lock`, `pixi.lock`, `pyproject.toml`, `requirements.txt`, and live virtualenvs.

## Installation

```bash
pip install license-audit
```

Or with [uv](https://docs.astral.sh/uv/):

```bash
uv add license-audit --dev
```

## Quickstart

Run against the current project directory:

```bash
license-audit --target . analyze
```

```
License Analysis: my-project

Dependency Licenses
  Package   Version  License        Category    Source  Parent
  click     8.1.7    BSD-3-Clause   permissive  pep639  (direct)
  pydantic  2.9.2    MIT            permissive  pep639  (direct)
  rich      13.9.4   MIT            permissive  pep639  (direct)

Recommended Outbound Licenses (most -> least permissive):
  -> MIT
     BSD-3-Clause
     Apache-2.0
     ...

Summary
  Total dependencies: 3
  Policy check:       PASSED
```

## CI quickstart

Add to your pipeline to gate on license policy:

```yaml
jobs:
  license-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v5
      - run: uv sync --locked
      - run: uv run license-audit check
```

Exit codes:

| Code | Meaning |
|------|---------|
| `0` | All dependencies pass the policy |
| `1` | Policy violation (incompatible pairs, denied licenses, or category exceeded) |
| `2` | Unknown licenses detected (when `fail-on-unknown = true`) |

For GitLab, pre-commit, handling unknowns, and the new-dependency workflow, see the [CI integration guide](https://dgeragh.github.io/license-audit/latest/user-guide/ci-integration/).

## Configuration

```toml
[tool.license-audit]
fail-on-unknown = true
policy = "permissive"  # permissive | weak-copyleft | strong-copyleft | network-copyleft
allowed-licenses = ["MIT", "Apache-2.0", "BSD-3-Clause"]
denied-licenses = ["GPL-3.0-only"]

[tool.license-audit.overrides]
some-internal-package = "MIT"
dual-licensed-pkg = "Apache-2.0 OR MIT"

[tool.license-audit.ignored-packages]
pandas-stubs = "Stubs only, not redistributed"
```

Full reference: [user guide -> configuration](https://dgeragh.github.io/license-audit/latest/user-guide/configuration/).

## Documentation

Full documentation lives at **https://dgeragh.github.io/license-audit**:

- [Configuration reference](https://dgeragh.github.io/license-audit/latest/user-guide/configuration/)
- [CI integration guide](https://dgeragh.github.io/license-audit/latest/user-guide/ci-integration/)
- [How it works](https://dgeragh.github.io/license-audit/latest/reference/how-it-works/)
- [Comparison with other tools](https://dgeragh.github.io/license-audit/latest/reference/comparison/)
- [Limitations](https://dgeragh.github.io/license-audit/latest/reference/limitations/)

## License

MIT. See [LICENSE](https://github.com/dgeragh/license-audit/blob/main/LICENSE).

This project bundles data from the [OSADL Open Source License Obligations Checklists](https://www.osadl.org/Checklists) project, licensed under CC-BY-4.0. See [THIRD_PARTY_NOTICES.md](https://github.com/dgeragh/license-audit/blob/main/THIRD_PARTY_NOTICES.md) for full attribution.
