DEV Community

Cover image for License compliance in CI in 3 lines of YAML
Kumar Anirudha
Kumar Anirudha

Posted on

License compliance in CI in 3 lines of YAML

Quick question: what license is the transitive dependency your package manager pulled in last Tuesday?

Exactly.

Every cargo add, npm install, or go get is a small legal decision nobody reviews. Most of the time it's fine: MIT and Apache everywhere. But one GPL-3.0 dependency deep in your tree can be a genuine problem if you're shipping a commercial product, and you typically find out at the worst possible time: during due diligence, an enterprise procurement review, or an app store submission.

This got worse recently, and it's worth saying why: AI coding agents add dependencies fast. When Claude or Copilot resolves your feature request by pulling in three new packages, license review isn't part of that loop unless you make it part of the pipeline.

I maintain Feluda, an open source (MIT) Rust CLI that treats license compliance the way we treat tests: something CI checks on every PR, not something legal checks once a year. Here's the whole setup.

Try it locally first

cargo install feluda   # or: brew install feluda
cd your-project
feluda
Enter fullscreen mode Exit fullscreen mode

Feluda walks your dependency manifests, resolves every dependency's license, and flags two kinds of problems:

  • Restrictive licenses (GPL-3.0, AGPL-3.0, and friends; the list is configurable)
  • Incompatible licenses, meaning ones that conflict with your project's license, checked against a compatibility matrix

It works across Rust, Node (npm/pnpm/yarn/bun), Go, Python, Java (Maven and Gradle), C/C++, C#/.NET, R, and Ruby. If you want to poke around interactively, there's a TUI: feluda --gui.

Feluda Scan Screenshot

The 3 lines that matter

Locally is nice; enforced is better. Add this to any workflow:

- uses: anistark/feluda@v1
  with:
    fail-on-restrictive: true
Enter fullscreen mode Exit fullscreen mode

That's it. The Feluda License Scanner action is on the GitHub Marketplace. No toolchain install, no setup step. The PR that introduces a restrictive license goes red, with the offending package named in the log. The reviewer sees it while the change is still one click to revert, instead of six months later in an audit spreadsheet.

Full workflow, for anyone who wants to copy and paste:

name: License Check
on:
  pull_request:
    branches: [ main ]

jobs:
  license-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anistark/feluda@v1
        with:
          fail-on-restrictive: true
          fail-on-incompatible: true
          project-license: 'MIT'
Enter fullscreen mode Exit fullscreen mode

fail-on-incompatible plus project-license enables the compatibility check: it's not just "is this license scary," it's "can an MIT project actually ship with this dependency."

Findings in the Security tab

If your org uses GitHub Advanced Security, Feluda emits SARIF, so license findings land in the same place as CodeQL alerts:

- run: feluda --ci-format sarif --output-file results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif
Enter fullscreen mode Exit fullscreen mode

Restrictive licenses show up as warnings and incompatible ones as errors, both in the Security tab and in VS Code's Problems panel.

SBOMs, since everyone's asking for them

Between the US executive order on software supply chains and the EU Cyber Resilience Act, "can you give us an SBOM?" is turning up in more and more procurement checklists. Feluda generates and validates both major formats:

feluda sbom spdx --output sbom.spdx.json
feluda sbom cyclonedx --output sbom.cyclonedx.json
feluda sbom validate sbom.spdx.json
Enter fullscreen mode Exit fullscreen mode

It also generates the boring but legally required attribution files, NOTICE and THIRD_PARTY_LICENSES (with full license texts, pulled from your local package caches first so it works offline):

feluda generate
Enter fullscreen mode Exit fullscreen mode

Some teams run the whole pipeline in one job: scan, gate, generate compliance files, produce and validate SBOMs, upload everything as build artifacts. Every release ships with its own audit trail, for free.

A few more tricks

  • feluda watch scans again whenever a dependency file changes. Surprisingly useful when an AI agent is driving and dependencies appear midway through a session.
  • feluda --repo https://github.com/some/repo scans a repo without you cloning it yourself. Good for vetting a dependency before adopting it.
  • .feluda.toml lets you override what counts as restrictive, and ignore specific licenses or dependencies (with a documented reason, for the auditors).

Obligatory disclaimer

Feluda is a tool, not a lawyer. It makes license problems visible early, which is 90% of the battle. But compliance decisions are yours, and real legal questions deserve real legal counsel.

Talk to us

Feluda is open source under MIT. If you try it, or if you're already using it (which we sometimes discover in the wild, and it makes our day), We'd genuinely love to hear how:

Feluda is named after Satyajit Ray's iconic Bengali detective: methodical, thorough, and unbothered by how deep the case goes. 🔎

Top comments (0)