Licensure

Licensure is a RubyGem CLI tool that inspects dependency licenses from Gemfile.lock and checks them against a configurable allow list.

Install as a gem:

gem install licensure

Or add it to your Gemfile:

gem "licensure"

Initialize config:

licensure init

List dependency licenses:

licensure list

Check licenses against .licensure.yml:

licensure check

Licensure uses .licensure.yml:

allowed_licenses:
  - MIT
  - Apache-2.0
  - BSD-2-Clause
  - BSD-3-Clause
  - ISC
  - Ruby

ignored_gems:
  - bundler
  - rake

deny_unknown: true

• allowed_licenses: Allowed license identifiers. Empty means allow all. For gems with multiple licenses, all reported licenses must be included.
• ignored_gems: Gem names excluded from checks.
• deny_unknown: Treat gems without license metadata as warnings.

When a gem reports non-SPDX license text and its source_code_uri or homepage points to GitHub, Licensure queries the GitHub repository license API and normalizes matched labels to spdx_id (for example, Apache License, Version 2.0 -> Apache-2.0). Set GITHUB_TOKEN in CI to reduce API rate-limit risk.

licensure list [--format table|csv|json|markdown] [--recursive] [--output FILE] [--gemfile-lock PATH]
licensure check [--config FILE] [--recursive] [--format table|csv|json|markdown] [--gemfile-lock PATH]
licensure init
licensure version
licensure help [command]

list and check support:

• table
• csv
• json
• markdown

Example:

licensure list --format json
licensure check --format markdown

name: License Check
on: [push, pull_request]
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.3"
          bundler-cache: true
      - run: gem install licensure
      - run: licensure check

bundle install
bundle exec rake spec

Released under the MIT License. See LICENSE.txt.