Git.legal scans the libraries used by your project and flags potential compliance and compatibility issues, optionally based on policies that you configure.
The community edition of Git.legal currently supports dependency analysis of:
- Ruby libraries (via a
Gemfile,Gemfile.lock, or.gemspec); - JS libraries (via npm's
package.json, oryarn.lock); - Python libraries (via
requirements.txt); and - PHP libraries (via
composer.json)
-
This version of Git.legal is designed to run through CodeClimate -- please visit https://codeclimate.com/ to get started.
-
Once you have your project setup for analysis through CodeClimate, add the following to the
enginessection of your.codeclimate.ymlfile:
git-legal:
enabled: true
- Run an analysis on CodeClimate!
You can add a configurations section to your .codeclimate.yml to set which types of licenses you wish to allow and
disallow for your project. For instance, the example below (which is the default setting), is a typical policy to only
exclude "strong copyleft" and Affero licenses (permissive and weak copyleft are permitted):
git-legal:
enabled: true
config:
# eg. Affero GPL
allow_affero_copyleft: false
# eg. GPL
allow_strong_copyleft: false
If you subscribe to Git.legal Pro, further configuration options are available to you to customize the policy to your exact business needs - see below!
Subscribe to a Pro account (and include your license file in your project root directory) in order to:
- Customize your configuration to exactly align to your company's license policy; and
- View detailed information on each library and license, including viewing the actual license for a library and seeing a word-by-word diff to the standard license.
git-legal:
enabled: true
config:
# eg. LGPL, MPL
allow_weak_copyleft: false
# eg. MIT, BSD - you'll generally only want to set this to false if you want to explicitly approve ALL libraries
allow_permissive: true
# licenses to permit (overriding the above general policies); standard license names and abbreviations (with or
# without version numbers) are all recognized
license_whitelist: []
# licenses to blacklist (overriding the above general policies)
license_blacklist: []
# by default, libraries not found in standard library repositories (rubygems.org, npm, etc) are permitted
# (as they're likely your own works), but you may wish to play it safe and explicitly approve these
allow_unknown_libraries: true
You can create the docker image with: make image
Once built, run the test suite from outside the docker container (end-to-end tests use the container you've just built): rspec
This project is available as open source under the terms of the GNU Affero General Public License 3.0, or by explicit permission of the author.