license-auditor v1.0.8
License Auditor
License Auditor helps you track and validate licenses inside your project. Prevents unwanted law complications. License Auditor includes a step in your pipeline and creates notifications about potential problems with used licenses. At the moment, a notification means a comment.
Getting started
To start using the License Auditor copy index.js
to the root folder of your project. You can find more information about Danger.js here.
Next step is to copy .license
directory with licenses.js
, blacklist.js
and whitelist.js
files. First one contains full list of all acknowledged, depreciated and exceptional software licenses currently used. To whitelist or blacklist the license, you must copy selected licenses from the main file into them.
Whitelisting stops License Auditor from holding back the merge process or displaying any notifications due to whitelisted licenses. Blacklisting causes job to fail if the blacklisted license is found, which prevents developer from merging unwanted dependencies into destination branch. Any license that is not included in neither blacklist.js
nor whitelist.js
, but is found during merge request, becomes a warning, which developer should consider during merge processs.
Then you have to include License Auditor in your GitHub or GitLab pipeline. The basic structure of Gitlab pipeline step should look like this :
check_foo_licenses:
stage: CheckFooLicenses
image: node:alpine
script:
- yarn add -D danger .license-checker
- yarn danger ci --failOnErrors --id Foo
variables:
DANGER_GITLAB_API_TOKEN: $GITLAB_ACCESS_TOKEN
PROJECT_PATH: $PATH_TO_FOO_PACKAGE # it could look like : ./packages/web or ./server
only:
- merge_requests
and the basic structure for Github Actions :
- name: CheckBarLicenses
run: |
yarn add -D danger license-checker
yarn danger ci --failOnErrors --verbose --id Bar
env:
DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROJECT_PATH: $PATH_TO_BAR_PACKAGE # it could look like : ./packages/web or ./server
You can find more examples in this folder.
For License Auditor to work, all project dependencies have to be installed before running the CheckLicenses step. License Auditor iterates through the node_modules and retrieves the license information from them.
To allow automatic comments posting on MR's you need to create either Gitlab Access Token
or Github Access Token
in a profile that is going to post comments
under MR's. Then you need to specify environmental variables with key DANGER_GITLAB_API_TOKEN
or DANGER_GITHUB_API_TOKEN
and value being the acquired token.
Access Token needs to have the ability to use the Github/Gitlab api and write discussions for MR's.
Gitlab :
Github:
In provided examples, the new Gitlab and Github accounts were created to act as a "bot", that was posting MR comments based on licenses informations. Both of them were named HAL9002.
The comments should look similar to:
for Gitlab :
for Github :
You can find more information about Github and Gitlab configuration here.