DEV Community

Cover image for How to Surface License Violations in GitHub Advanced Security with feluda
Kumar Anirudha
Kumar Anirudha

Posted on

How to Surface License Violations in GitHub Advanced Security with feluda

#rust #github #opensource #security

If you've ever had a GPL dependency sneak into a commercial project, you know the drill. License violations don't fail your tests. They don't break your build. They just sit there quietly until your lawyer finds them six months later, and suddenly everyone is having a very bad week.

Let's fix that. This post shows how to surface those violations as real security findings inside GitHub Advanced Security, using feluda's SARIF output. Think CVEs and secret leaks, but for licenses. Same dashboard, same severity levels, no extra plugins.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is an OASIS standard for shuttling results between static analysis tools and the things that consume them. GitHub Advanced Security speaks it natively. Upload a .sarif file as a workflow artifact and GitHub turns each result into an alert in the Security > Code scanning tab. It's a surprisingly clean integration for something that used to need a pile of glue.

Refer to SARIF Specs for details.

Setting up feluda

Install the binary:

# macOS via Homebrew
brew install feluda

# via cargo
cargo install feluda

# or grab a prebuilt binary from GitHub Releases
Enter fullscreen mode Exit fullscreen mode

Run a quick sanity check:

feluda
Enter fullscreen mode Exit fullscreen mode

You'll see a table of every dependency and its license. Anything restrictive (GPL, AGPL, LGPL, SSPL and friends) shows up highlighted in red.

Generating SARIF output

Swap out the default table for SARIF using --ci-format sarif:

# print to stdout
feluda --ci-format sarif

# write to a file (the right move for CI)
feluda --ci-format sarif --output-file results.sarif
Enter fullscreen mode Exit fullscreen mode

The output is valid SARIF 2.1.0 with two rule types baked in:

  • feluda/restrictive-license fires a warning whenever a dependency carries a restrictive license.
  • feluda/incompatible-license fires an error when a dependency clashes with your declared project license.

To get that second rule firing, tell feluda what your project license is:

feluda --ci-format sarif --project-license MIT --output-file results.sarif
Enter fullscreen mode Exit fullscreen mode

A clean scan still produces a valid SARIF file, just with an empty results array. GitHub Advanced Security reads that as "all clear" and quietly dismisses any previous alerts. No manual cleanup.

Wiring it into GitHub Actions

Here's a complete workflow. It runs on every push and pull request and ships the results straight to GitHub Advanced Security:

name: License Compliance

on:
  push:
    branches: [main]
  pull_request:

permissions:
  security-events: write  # required to upload SARIF

jobs:
  feluda:
    name: License scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install feluda
        run: cargo install feluda

      - name: Run license scan
        run: |
          feluda \
            --ci-format sarif \
            --project-license MIT \
            --output-file results.sarif

      - name: Upload SARIF to GitHub Advanced Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()   # upload even when the scan finds violations
        with:
          sarif_file: results.sarif
Enter fullscreen mode Exit fullscreen mode

The if: always() on the upload step is the important bit. Without it, feluda exiting with a failure skips the upload entirely and your findings vanish before they ever reach the Security tab. Kind of defeats the whole point.

Failing the build on violations

Want CI to block merges when a bad license shows up? Add --fail-on-restrictive or --fail-on-incompatible:

- name: Run license scan
  run: |
    feluda \
      --ci-format sarif \
      --project-license MIT \
      --output-file results.sarif \
      --fail-on-restrictive \
      --fail-on-incompatible
Enter fullscreen mode Exit fullscreen mode

feluda writes the SARIF file before it exits, so the upload-sarif step still runs and your findings still land in the Security tab.

What it looks like

Once the workflow runs, head to Security > Code scanning in your repo. Each license violation shows up as a real alert:

  • Rule ID: feluda/restrictive-license or feluda/incompatible-license
  • Severity: Warning (restrictive) or Error (incompatible)
  • Message: Dependency 'left-pad@1.3.0' has restrictive license: GPL-3.0

Alerts clear themselves on the next clean scan. Zero babysitting.

VS Code too

Standard SARIF means VS Code's Problems panel speaks the same language. Install the SARIF Viewer extension, open results.sarif, and your violations show up inline next to your code.

Monorepo support

feluda v1.13.0 added workspace support, so one scan covers everything in a Cargo workspace, npm workspace, Go workspace, or Python uv workspace. The SARIF output rolls up results from every member:

feluda --ci-format sarif --output-file results.sarif
# every workspace member scanned automatically
Enter fullscreen mode Exit fullscreen mode

Quick reference

Goal Command
Generate SARIF to stdout feluda --ci-format sarif
Write SARIF to file feluda --ci-format sarif --output-file results.sarif
Include incompatibility check feluda --ci-format sarif --project-license MIT --output-file results.sarif
Fail CI on restrictive license ... --fail-on-restrictive
Fail CI on incompatible license ... --fail-on-incompatible

License compliance is a supply chain problem now, not a legal afterthought. The EU Cyber Resilience Act, US EO 14028, and your friendly neighborhood M&A diligence checklist all ask for it. Surfacing violations where your team already looks (the Security tab, the Problems panel, the PR review) is how you catch them early, before they become someone else's problem.

feluda is open source and available on GitHub. If this saved you a headache, a star goes a long way.

Top comments (0)