{"id":33117642,"url":"https://github.com/dhatim/python-license-check","last_synced_at":"2026-04-09T03:31:19.796Z","repository":{"id":24266539,"uuid":"101060105","full_name":"dhatim/python-license-check","owner":"dhatim","description":"Check python packages from requirement.txt and report issues","archived":false,"fork":false,"pushed_at":"2025-11-20T16:33:44.000Z","size":189,"stargazers_count":182,"open_issues_count":26,"forks_count":63,"subscribers_count":13,"default_branch":"master","last_synced_at":"2026-01-02T09:28:50.466Z","etag":null,"topics":["check","license","python","tool"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dhatim.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-08-22T12:25:21.000Z","updated_at":"2026-01-01T11:55:56.000Z","dependencies_parsed_at":"2024-06-18T15:22:26.279Z","dependency_job_id":"3ea1ef44-6845-4a96-937e-8073dc264df3","html_url":"https://github.com/dhatim/python-license-check","commit_stats":{"total_commits":184,"total_committers":45,"mean_commits":4.088888888888889,"dds":0.5271739130434783,"last_synced_commit":"7bbdffd6c212692f7ce69b2195c5bdf50ee055a0"},"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/dhatim/python-license-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fpython-license-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fpython-license-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fpython-license-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fpython-license-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dhatim","download_url":"https://codeload.github.com/dhatim/python-license-check/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fpython-license-check/sbom","scorecard":{"id":340039,"data":{"date":"2025-08-11","repo":{"name":"github.com/dhatim/python-license-check","commit":"01bc97a8ff4237208bdfadf5801554c1a42522e0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":3,"reason":"Found 5/15 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/dhatim/python-license-check/release.yml/master?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:21","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:24","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   6 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2021-437 / GHSA-5xp3-jfq3-5q8x","Warn: Project is vulnerable to: PYSEC-2020-173 / GHSA-gpvv-69j7-gwj8","Warn: Project is vulnerable to: PYSEC-2023-228 / GHSA-mq26-g339-26xf"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T05:35:10.982Z","repository_id":24266539,"created_at":"2025-08-18T05:35:10.982Z","updated_at":"2025-08-18T05:35:10.982Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31584567,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-08T14:31:17.711Z","status":"online","status_checked_at":"2026-04-09T02:00:06.848Z","response_time":112,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["check","license","python","tool"],"created_at":"2025-11-15T03:00:27.336Z","updated_at":"2026-04-09T03:31:19.780Z","avatar_url":"https://github.com/dhatim.png","language":"Python","funding_links":[],"categories":["Software"],"sub_categories":["Tools \u0026 libs"],"readme":".. image:: https://badge.fury.io/py/liccheck.svg\n    :target: https://badge.fury.io/py/liccheck\n.. image:: https://github.com/dhatim/python-license-check/workflows/build/badge.svg\n    :target: https://github.com/dhatim/python-license-check/actions\n.. image:: https://codecov.io/gh/dhatim/python-license-check/branch/master/graph/badge.svg\n    :target: https://codecov.io/gh/dhatim/python-license-check\n\nPython License Checker\n======================\n\nCheck python packages listed in a ``requirements.txt`` file and report license issues.\n\nAbout\n=====\n\nYou can define a list of authorized licenses, unauthorized licenses and authorized packages.\n\nThe tool will check the ``requirements.txt`` file, check packages and their\ndependencies and return an error if some packages are not compliant\nagainst the given strategy.\n\nThe tool has 3 levels of checks to select from:\n\nStandard (default):\n    A package is considered as compliant when at least one of its licenses is\n    in the authorized license list, or if the package is in the list of\n    authorized packages.\n\nCautious:\n    Same as *Standard*, but a package is **not** considered compliant when one\n    or more of its licenses is in the unauthorized license list, even if it\n    also has a license in the authorized license list. A package is still\n    compliant if present in the authorized packages list.\n\nParanoid:\n    All licenses listed for a package must be in the authorised license list\n    for the package to be considered compliant. A package is still\n    compliant if present in the authorized packages list.\n\nAssumption\n==========\nThe tool requires to be installed in the same python (virtual) environment as the packages. This, because it uses\n``pkg_resources`` to access the packages resources and thus, their licenses information.\n\nHow to install\n==============\n\n::\n\n\t$ pip install liccheck\n\n\nHow to use\n==========\n\n``liccheck`` will read the ``requirements.txt`` and verify compliance of packages against a strategy defined in the ``ini`` file.\nIf the requirements file is not specified on the command line, it will search for ``requirements.txt`` in the current folder.\nYou have to setup an ``ini`` file with an authorized license list, unauthorized license list and authorized package list. The packages from your ``requirements.txt`` need to all be installed in the same python environment/virtualenv as ``liccheck``.\nIf the ``ini`` file is not specified on the command line, it will search for ``liccheck.ini`` in the current folder.\n\nHere is an example of a ``liccheck.ini`` file:\n::\n\n\t# Authorized and unauthorized licenses in LOWER CASE\n\t[Licenses]\n\tauthorized_licenses:\n\t\tbsd\n\t\tnew bsd\n\t\tbsd license\n\t\tnew bsd license\n\t\tsimplified bsd\n\t\tapache\n\t\tapache 2.0\n\t\tapache software license\n\t\tgnu lgpl\n\t\tlgpl with exceptions or zpl\n\t\tisc license\n\t\tisc license (iscl)\n\t\tmit\n\t\tmit license\n\t\tpython software foundation license\n\t\tzpl 2.1\n\n\tunauthorized_licenses:\n\t\tgpl v3\n\n\t[Authorized Packages]\n\t# Python software license (see http://zesty.ca/python/uuid.README.txt)\n\tuuid: 1.30\n\nNote: versions of authorized packages can be defined using `PEP-0440 version specifiers \u003chttps://www.python.org/dev/peps/pep-0440/#version-specifiers\u003e`_, such as ``\u003e=1.3,\u003c1.4``. The implementation uses the nice package `semantic_version \u003chttps://pypi.org/project/semantic_version/\u003e`_.\n\nFor demo purpose, let's say your ``requirements.txt`` file contains this:\n::\n\n\tFlask\u003e=0.12.1\n\tflask_restful\n\tjsonify\n\tpsycopg2\u003e=2.7.1\n\tnose\n\tscipy\n\tscikit-learn\n\tpandas\n\tnumpy\n\targparse\n\tuuid\n\tsqlbuilder\n\tproboscis\n\tpyyaml\u003e=3.12\n\nThe execution will output this:\n::\n\n    $ liccheck -s my_strategy.ini -r my_project/required.txt\n    gathering licenses...23 packages and dependencies.\n    check forbidden packages based on licenses...none\n    check authorized packages based on licenses...19 packages.\n    check authorized packages...4 packages.\n    check unknown licenses...none\n\nIf some dependencies are unknown or are not matching the strategy, the output will be something like:\n::\n\n    $ liccheck -s my_strategy.ini -r my_project/requirements.txt\n\tgathering licenses...32 packages and dependencies.\n\tcheck forbidden packages based on licenses...1 forbidden packages :\n\t    Unidecode (0.4.21) : GPL ['GNU General Public License v2 or later (GPLv2+)']\n\t      dependency:\n\t          Unidecode \u003c\u003c python-slugify \u003c\u003c yoyo-migrations\n\n\tcheck authorized packages based on licenses...24 packages.\n\tcheck authorized packages...6 packages.\n\tcheck unknown licenses...1 unknown packages :\n\t    feedparser (5.2.1) : UNKNOWN []\n\t      dependency:\n\t          feedparser\n\nAlso supports pyproject.toml like:\n::\n\n    [project]\n    dependencies = [\n        \"Flask\u003e=0.12.1\",\n        \"flask_restful\",\n        \"jsonify\",\n        \"psycopg2\u003e=2.7.1\",\n        \"nose\",\n        \"scipy\",\n        \"scikit-learn\",\n        \"pandas\",\n        \"numpy\",\n        \"argparse\",\n        \"uuid\",\n        \"sqlbuilder\",\n        \"proboscis\",\n        \"pyyaml\u003e=3.12\",\n    ]\n\n    [project.optional-dependencies]\n    test = [\n        \"pytest\u003e=3.6.3\",\n    ]\n\n    [tool.liccheck]\n    authorized_licenses = [\n        \"bsd\",\n        \"new bsd\",\n        \"bsd license\",\n        \"new bsd license\",\n        \"simplified bsd\",\n        \"apache\",\n        \"apache 2.0\",\n        \"apache software license\",\n        \"gnu lgpl\",\n        \"lgpl with exceptions or zpl\",\n        \"isc license\",\n        \"isc license (iscl)\",\n        \"mit\",\n        \"mit license\",\n        \"python software foundation license\",\n        \"zpl 2.1\",\n    ]\n    unauthorized_licenses = [\n        \"gpl v3\",\n    ]\n    # strategy_ini_file = \"./liccheck.ini\"\n    # level = \"STANDARD\"\n    # requirement_txt_file = \"./requirements.txt\" # ignored if dependencies or optional_dependencies are defined\n    # reporting_txt_file = \"path/to/reporting.txt file\" # by default is None\n    # no_deps = false\n    dependencies = true # to load [project.dependencies]\n    optional_dependencies = [\"test\"] # to load extras from [project.optional-dependencies]\n\n    [tool.liccheck.authorized_packages]\n    uuid = \"1.30\"\n\nBy default, exact matching is required between each package's license and one of the license of the authorized or unauthorized list.\nYou can also provide regular expressions to match licenses by using the ``as_regex`` boolean flag. For instance, to exclude GPL licenses,\none could define the following configuration in ``pyproject.toml``:\n\n::\n\n    ...\n\n    unauthorized_licenses = [\n        '\\bgpl'\n    ]\n    as_regex = true\n    \n\nUsing liccheck with pre-commit\n==============================\n\nAdd this to your .pre-commit-config.yaml:\n::\n\n    - repo: https://github.com/dhatim/python-license-check\n      rev: master\n      hooks:\n      - id: liccheck\n        language: system\n\nContributing\n============\n\nTo run the tests:\n::\n\n    $ tox -p all\n\nLicensing\n=========\n\n-  See `LICENSE \u003cLICENSE\u003e`__\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhatim%2Fpython-license-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdhatim%2Fpython-license-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhatim%2Fpython-license-check/lists"}