Most teams never check the license of every package they depend on, including the indirect ones pulled in underneath. That is a real risk. Some licenses, like GPL or AGPL, can legally require you to open-source your own product if you use them a certain way.
I built Open License Auditor to catch this automatically. It is a GitHub Action that maps every dependency in your repo, direct and indirect, and flags any open source license that could be a problem.
Get it on GitHub Marketplace · Source on GitHub
What it does
It scans npm, Yarn, pnpm, pip, Poetry, uv, Cargo, Go modules, Maven, Gradle, RubyGems, Composer, and NuGet automatically, no configuration required to get started. On every pull request, it posts one comment: a direct list of anything risky, plus a full dependency map you can expand if you want to see everything. If nothing is wrong, it just says so.
What ok, warning, and critical mean
| Bucket | Meaning |
|---|---|
| ok | a permissive license. Safe to use without extra review in almost all cases. |
| warning | a weak copyleft license, or one it could not confidently identify. Worth a second look. |
| critical | a strong copyleft license. Using it can require you to open source your own code. |
Unknown or unidentified licenses default to warning, not ok, on purpose. The "unknown" should never be treated as safe. A few examples from the default table: MIT, Apache-2.0, and BSD are ok; LGPL and MPL are warning; GPL, AGPL, and SSPL are critical. The full table is configurable.
Example workflow
Save this as .github/workflows/license-audit.yml:
name: License Audit
on: pull_request
permissions:
pull-requests: write
contents: read
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: yanovian/open-license-auditor@v1
with:
config-path: .github/license-audit.yml
severity-filter: both
fail-on: critical
comment-on-pr: true
github-token: ${{ secrets.GITHUB_TOKEN }}
That's it. Open a pull request and it runs automatically.
Main inputs
| Input | Default | Description |
|---|---|---|
config-path | .github/license-audit.yml | where to find your config file; missing is fine |
severity-filter | both | what the PR comment shows: critical, warning, both, or none |
fail-on | critical | what makes the Action exit non-zero: critical, warning, or none |
comment-on-pr | true | whether to post a PR comment at all |
comment-only-on-problems | false | if true, skip commenting entirely when nothing is wrong |
update-existing-comment | true | edit the previous comment instead of posting a new one each run |
github-token | ${{ github.token }} | token used to read the PR and post the comment |
cache | true | cache license lookups across runs, so repeat runs are faster |
You can change which licenses count as ok, warning, or critical by copying the example config into .github/license-audit.yml and editing it.
Permissions and tokens
You do not need to create a token yourself. The default GITHUB_TOKEN is enough, as long as your workflow grants pull-requests: write, as in the example above. Without it, the Action still audits your dependencies and can fail the check, it just cannot post the comment.
One limitation: if a pull request comes from a fork, GitHub gives the default token read-only access no matter what your workflow requests, so the comment will not post. That is a GitHub security restriction, not something this Action can work around. Switching the trigger to pull_request_target fixes it, but that trigger runs with your base repository's permissions even for untrusted forks, so only do it if your workflow does not check out or run code from the fork.
This is an automated check, not a legal opinion. License detection can be wrong, and a license can change between versions of a package. Use it as a starting point.
PS: OlAudit is now deprecated in favor of this new one.
