Feluda
🔎 Feluda is a Rust-based command-line tool that analyzes the dependencies of a project, notes down their licenses, and flags any permissions that restrict personal or commercial usage or are incompatible with your project's license.
👋 It's still highly experimental, but fast iterating. Welcoming contributors and support to help bring out this project even better!
Features
- Parse your project to identify dependencies and their licenses.
- Classify licenses into permissive, restrictive, or unknown categories.
- Check license compatibility between dependencies and your project's license.
- Flag dependencies with licenses that may restrict personal or commercial use.
- Flag dependencies with licenses that may be incompatible with your project's license.
- Generate compliance files (NOTICE and THIRD_PARTY_LICENSES) for legal requirements.
- Output results in plain text, JSON or TUI formats. There's also a gist format which is available in strict mode to output a single line only.
- CI/CD support for Github Actions and Jenkins.
- Verbose mode gives an enhanced view of all licenses.
Support Languages
Feluda supports analyzing dependencies across multiple languages simultaneously.
You can also filter the analysis to a specific language using the --language flag.
If your fav language or framework isn't supported, feel free to open an feature request issue! 👋
Installation
Official Distribution 🎉:
Prerequisites
- Rust installed on your system.
If you already had it, make sure it's up-to-date and update if needed. (Optional) Set rust path if not set already.
Install
Community Maintained 🙌:
feluda is available in the Homebrew. You can install it using brew:
feluda is available in the AUR. You can install it using an AUR helper (e.g. paru):
On NetBSD a package is available from the official repositories. To install it, simply run:
Track releases on github releases or via release feed.
Note: This might have experimental features which might not work as intended.
Clone and Build
First, clone the repository:
Then, build the project using Cargo:
Finally, to make feluda available globally, move the binary to a directory in your PATH. For example:
Usage
Feluda provides license analysis by default, with an additional command for generating compliance files. Analyze your project's dependencies and their licenses:
# Basic usage
# Specify a path to your project directory
# Check with specific language
License File Generation
Generate compliance files for legal requirements:
# Interactive file generation
# Generate for specific language and license
# Generate for specific path
Run feluda on a github repo directly
<repository_url>: The URL of the Git repository to clone (e.g., git@github.com:user/repo.git or https://github.com/user/repo.git).
--ssh-key <key_path>: (Optional) Path to a private SSH key for authentication.
--ssh-passphrase <passphrase>: (Optional) Passphrase for the SSH key.
--token <https_token>: (Optional) HTTPS token for authenticating with private repositories.
If you're using Feluda, feel free to grab a Scanned with Feluda badge for your project:
[](https://github.com/anistark/feluda)
License Compliance Files
Feluda can generate essential compliance files required for commercial software distribution and open source projects.
NOTICE File
A NOTICE file is a concise summary document that provides attribution for third-party components:
- Purpose: Quick overview of all third-party components and their licenses
- Content: Organized by license type, lists all dependencies with their versions
- Use Cases:
- Legal compliance documentation
- Quick reference for license audits
- Attribution requirements for many open source licenses
THIRD_PARTY_LICENSES File
A THIRD_PARTY_LICENSES file provides comprehensive license documentation:
- Purpose: Complete legal documentation for all dependencies
- Content: Full license texts, compatibility analysis, package URLs, and copyright information
- Use Cases:
- Commercial software distribution requirements
- Legal compliance for enterprise applications
- Due diligence for acquisitions and audits
- App store submissions (iOS, Android, etc.)
Why These Files Are Important
Legal Protection: Many open source licenses require attribution when redistributing code. These files ensure compliance and protect your organization from legal issues.
Transparency: Shows exactly what third-party code is included in your application, building trust with users and stakeholders.
Commercial Readiness: Essential for commercial software, enterprise deployments, and app store submissions.
Audit Preparation: Makes license audits faster and easier by providing all necessary documentation in standard formats.
Important Legal Notice
⚠️ DISCLAIMER: Feluda is still in early stages. While we're trying to follow through all compliances, users are responsible for:
- Verifying accuracy of all license information
- Ensuring compliance with all applicable license terms
- Consulting legal counsel for license compliance matters
- Checking official repositories for up-to-date license information
Feluda and its contributors disclaim all warranties and are not liable for any legal issues arising from the use of this information. Use at your own risk.
When You Need These Files
- 📱 Mobile app distribution (iOS App Store, Google Play)
- 🏢 Enterprise software deployment
- 💼 Commercial product releases
- 🔍 Legal compliance audits
- 🤝 Open source project attribution
- 📄 Regulatory compliance (GDPR, SOX, etc.)
Output Format
JSON
- Default: Plain text.
- JSON: Use the
--jsonflag for JSON output.
Sample Output for a sample cargo.toml file containing serde and tokio dependencies:
YAML
Use the --yaml flag for YAML output
Sample Output for a sample cargo.toml file containing serde and tokio dependencies:
- name: serde
version: 1.0.151
license: MIT
is_restrictive: false
compatibility: Compatible
- name: tokio
version: 1.0.2
license: MIT
is_restrictive: false
compatibility: Compatible
Gist Mode
For a short summary, in case you don't want all that output covering your screen:
Verbose Mode
For detailed information about each dependency:
License Compatibility
Feluda can check if dependency licenses are compatible with your project's license:
You can also filter for incompatible licenses only:
And fail CI builds if incompatible licenses are found:
Strict Mode
In case you strictly need only the restrictive dependencies:
Terminal User Interface (TUI) Mode
We've an awesome ✨ TUI mode available to browse through the dependencies in a visually appealing way as well:
CI/CD Integration
Feluda provides several options for CI integration:
--ci-format <github|jenkins>: Generate output compatible with the specified CI system--fail-on-restrictive: Make the CI build fail when restrictive licenses are found--fail-on-incompatible: Make the CI build fail when incompatible licenses are found--output-file <path>: Write the output to a file instead of stdout
Feluda can be easily integrated into your CI/CD pipelines with built-in support for GitHub Actions and Jenkins.
GitHub Actions
To use Feluda with GitHub Actions, create a .github/workflows/feluda.yml file with the following content:
name: License Check
on:
push:
branches:
pull_request:
branches:
jobs:
check-licenses:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install Feluda
run: cargo install feluda
- name: Check licenses
run: feluda --ci-format github --fail-on-restrictive --fail-on-incompatible
- name: Generate compliance files
run: |
echo "1" | feluda generate # Auto-select NOTICE file
echo "2" | feluda generate # Auto-select THIRD_PARTY_LICENSES file
- name: Upload compliance artifacts
uses: actions/upload-artifact@v3
with:
name: license-compliance
path: |
NOTICE
THIRD_PARTY_LICENSES.md
Checkout contributing guidelines if you are looking to contribute to this project.
Currently, using choosealicense license directory for source of truth.
Configuration (Optional)
Feluda allows you to customize which licenses are considered restrictive through configuration. This can be done in three ways, listed in order of precedence (highest to lowest):
- Environment variables
.feluda.tomlconfiguration file- Default values
Default Restrictive Licenses
By default, Feluda considers the following licenses as restrictive:
- GPL-3.0
- AGPL-3.0
- LGPL-3.0
- MPL-2.0
- SEE LICENSE IN LICENSE
- CC-BY-SA-4.0
- EPL-2.0
Configuration File
Create a .feluda.toml file in your project root to override the default restrictive licenses:
[]
# Override the default list of restrictive licenses
= [
"GPL-3.0", # GNU General Public License v3.0
"AGPL-3.0", # GNU Affero General Public License v3.0
"Custom-1.0", # Your custom license identifier
]
Environment Variables
You can also override the configuration using environment variables:
# Override restrictive licenses list
The environment variables take precedence over both the configuration file and default values.
License
Feluda is licensed under the MIT License.
Happy coding with Feluda! 🚀