GitHub Licensed is an open-source tool that aims to simplify the chore of ensuring license soundness and documentation for all dependencies of a GitHub project.
Licensed can detect dependencies from a variety of languages and package managers across multiple projects in a repository. Supported package managers include Bower, Bundler, Cabal, Go, Manifest lists, and NPM. For each dependency found, Licensed can retrieve its basic metadata and relevant license information, such the license type and associated legal text (usually stored in a LICENSE
file) from the location in the local environment. To detect license type and text, Licensed uses Licensee. All detected metadata is stored at a given location that can be used to generate the copy of all licenses such as is required for distribution.
What is more important, GitHub suggests, is metadata and license text can be put under revision control. When you do so, adding any new dependencies is reflected at PR-level and license experts can specifically review any new licenses to detect any issues that should be dealt with. Based on their own experience with this process, GitHub claims this is an effective way to reduce friction on the developer and to ensure only dependencies that meet the organization’s requirements are included in any product.
The workings of Licensed are controlled through a configuration file where you specify a source_path
location to scan for dependencies, a cache_path
directory to store metadata, and a list of allowed licenses. This is how a simplified configuration file can appear:
# Path is relative to git repository root
# If not set, defaults to '.licenses'
cache_path: 'relative/path/to/cache'
# Path is relative to git repository root and specifies the working directory when enumerating dependencies
source_path: 'relative/path/to/source'
# Dependencies with these licenses are allowed by default.
allowed:
- mit
- apache-2.0
- bsd-2-clause
- bsd-3-clause
- cc0-1.0
Licensed is a ruby gem that you can install by adding the following line to your Gemfile:
gem 'licensed', :group => 'development'
And then run:
$ bundle
You can ask Licensed to list all the dependencies of your project by running:
$ licensed list
Similarly, the cache
command will cache both licenses and metadata, while the status
command will check the status of dependencies and emit warnings if license data is missing or the license type needs to be reviewed.
GitHub stresses the fact that Licensed is just a tool for early detection of any licensing issues and that it cannot replace professional legal advice.