A standalone CLI that scans Go, Node, PHP, Python, Ruby, Rust and Java
projects for license risk, generates CycloneDX and SPDX SBOMs, and
ships an EU CRA-compliant PDF report in one command.
licscan scan . — that's it.
$brew install codelake-dev/tap/licscan Most license scanners are SaaS dashboards that need a login, hit network APIs and cost per scan. licscan ships as a single binary, reads your local package caches and produces output you can pipe straight into your CI.
No backend connection, no telemetry, no phone-home. Reads from go.mod, node_modules, vendor/ and friends — exactly what's on your disk.
Same inputs, same outputs, every time. No LLM, no flakiness, no surprise CVE feed. Reproducible from a CI cache.
Open source. Fork it, ship it inside your product, run it offline behind your firewall. No vendor lock-in, no contract.
The only OSS scanner that emits an EU Cyber Resilience Act-compliant PDF + SBOM out-of-the-box. --cra, done.
Every detector walks the real manifests and lockfiles your project ships
with — not just package.json, but package-lock.json v1, v2 and v3.
Lockfile-first means actual versions, actual licenses, no resolver guesswork.
Every license gets one of five risk labels based on its SPDX identifier. Configure
which levels are deny, warn or
allow_exceptions in a single .licscan.yml.
# Project license policy deny: - GPL-3.0-or-later - AGPL-3.0-or-later - SSPL-1.0 - BUSL-1.1 warn: - LGPL-3.0-or-later - MPL-2.0 - EPL-2.0 allow_exceptions: - name: "github.com/foo/legacy-lib" license: "GPL-2.0" reason: "vendored, isolated by ADR-019" manufacturer: "Acme GmbH" product: "acme-api"
One scan, seven outputs. Same data, every format. Pick what you need — the CI gate, the PR comment, the security review, the auditor PDF.
The default. Colorised, sortable summary. Perfect for local runs and CI logs.
Strict schema. Pipe into jq, store in object storage, diff against last week.
Dark-theme, XSS-safe, single file. Drop on S3 for the security team to read.
GitHub-flavoured, PR-comment-ready, auto-collapses past 30 dependencies. Verdict column.
Industry-standard SBOM with canonical PURLs per dependency. ECMA-404 JSON.
The other industry SBOM standard. Mandated by NTIA, US-EO 14028 and procurement.
PDF report + CRA-extended CycloneDX JSON, with manufacturer and product metadata. Auditor-grade.
License delta between two commits. licscan diff HEAD~1 HEAD. Lands Q4 2026.
The CRA hits in 2027. Every vendor of digital products in the EU needs to ship a software bill of materials with their releases, mapped to a manufacturer and a product. Most license scanners can't do that.
licscan emits an auditor-grade PDF and a CRA-extended CycloneDX JSON in one command — with manufacturer metadata, product metadata, scan timestamp and policy verdict already baked in.
The official GitHub Action runs licscan against your repo on every pull request, comments the verdict inline, fails the build on a deny, and uploads the SBOM artefact. No JS runtime, just YAML and shell.
codelake-dev/licscan-action →name: License compliance on: pull_request: push: branches: [main] jobs: licscan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: codelake-dev/licscan-action@v1 with: path: . format: markdown fail-on-violation: true pr-comment: true cra: true upload-artifact: true # ✓ deny → fail · warn → comment · cra → SBOM uploaded
One binary. Seven package managers. Seven output formats. Apache 2.0, no account, no telemetry.