License-auditor NPM

License Auditor

License Auditor helps you track and validate licenses inside your project. Prevents unwanted law complications. License Auditor includes a step in your pipeline and creates notifications about potential problems with used licenses. At the moment, a notification means a comment.

Getting started

To start using the License Auditor copy index.js to the root folder of your project. You can find more information about Danger.js here.

Next step is to copy .license directory with licenses.js, blacklist.js and whitelist.js files. First one contains full list of all acknowledged, depreciated and exceptional software licenses currently used. To whitelist or blacklist the license, you must copy selected licenses from the main file into them.

Whitelisting stops License Auditor from holding back the merge process or displaying any notifications due to whitelisted licenses. Blacklisting causes job to fail if the blacklisted license is found, which prevents developer from merging unwanted dependencies into destination branch. Any license that is not included in neither blacklist.js nor whitelist.js, but is found during merge request, becomes a warning, which developer should consider during merge processs.

Then you have to include License Auditor in your GitHub or GitLab pipeline. The basic structure of Gitlab pipeline step should look like this :

check_foo_licenses:
  stage: CheckFooLicenses
  image: node:alpine
  script:
    - yarn add -D danger .license-checker
    - yarn danger ci --failOnErrors --id Foo
  variables:
    DANGER_GITLAB_API_TOKEN: $GITLAB_ACCESS_TOKEN
    PROJECT_PATH: $PATH_TO_FOO_PACKAGE # it could look like  : ./packages/web or ./server
  only:
    - merge_requests

and the basic structure for Github Actions :

  - name: CheckBarLicenses
        run: |
          yarn add -D danger license-checker
          yarn danger ci --failOnErrors --verbose --id Bar
        env:
          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PROJECT_PATH: $PATH_TO_BAR_PACKAGE # it could look like  : ./packages/web or ./server

You can find more examples in this folder.

For License Auditor to work, all project dependencies have to be installed before running the CheckLicenses step. License Auditor iterates through the node_modules and retrieves the license information from them.

To allow automatic comments posting on MR's you need to create either Gitlab Access Token or Github Access Token in a profile that is going to post comments under MR's. Then you need to specify environmental variables with key DANGER_GITLAB_API_TOKEN or DANGER_GITHUB_API_TOKEN and value being the acquired token. Access Token needs to have the ability to use the Github/Gitlab api and write discussions for MR's.

Gitlab :

Gitlab Access Token

Github:

Github Access Token

In provided examples, the new Gitlab and Github accounts were created to act as a "bot", that was posting MR comments based on licenses informations. Both of them were named HAL9002.

The comments should look similar to:

for Gitlab :

Gitlab Comment Warn