Scan your entire dependency tree, classify licenses using SPDX standards, and enforce your policy โ before a license becomes a legal problem.
From a quick local check to a full CI enforcement pipeline.
Drop license-checkr into any project. It automatically detects your ecosystem from manifest files and starts scanning โ no setup required.
Missing license data? Use --online to fetch it in parallel from crates.io, PyPI, Maven Central, and npm. Batched for speed.
Define pass, warn, and error rules per SPDX identifier in a simple TOML file. Sensible defaults are built in.
Normalizes 20+ common strings to SPDX identifiers. Parses compound expressions like (Apache-2.0 OR MIT) AND BSD-3-Clause with correct precedence โ AND binds tighter than OR, parentheses override.
Colored terminal table for local development, structured JSON for pipelines, a polished multi-page PDF for your legal team, or a GitLab Code Quality artifact that surfaces violations inline on every Merge Request.
Use --report gitlab to emit a Code Quality JSON artifact. Violations appear as inline annotations on Merge Requests โ no extra tooling required.
Use --recursive to scan every sub-project in a monorepo in one pass. Each project is scanned independently with its own policy; the PDF includes per-project sections.
Run license-checkr mcp serve to expose the scanner as an MCP tool. AI agents like Claude Desktop can audit projects and look up package licenses directly.
One command gives you a complete picture of your license exposure.
Every dependency is classified into one of five risk levels.
| Risk level | What it means | Examples |
|---|---|---|
| โ Permissive | Minimal restrictions โ use freely in any project, commercial or otherwise. | MIT, Apache-2.0, BSD-3-Clause, ISC, Unlicense, CC0-1.0 |
| โ ๏ธ Weak Copyleft | Share-alike applies only to modifications of the library itself. | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0, CDDL-1.0 |
| ๐ด Strong Copyleft | Your project may need to be released as open source if you use this. | GPL-2.0, GPL-3.0, AGPL-3.0, EUPL-1.1 |
| ๐ Proprietary | Source is closed; a commercial agreement is required for use. | "proprietary", "commercial", "All rights reserved" |
| โ Unknown | License could not be determined. Use --online to try to resolve it. |
Missing, empty, or unrecognized strings |
A single static binary with no runtime dependencies. Install globally or drop into your CI environment.
cargo install --git https://github.com/QuentinRob/license-checkr
Run at the root of any project. Ecosystems are detected automatically. Add --online to resolve missing licenses.
license-checkr --online
Plug into your CI pipeline. Exits 1 on policy violations โ blocking merges before problematic licenses sneak in.
license-checkr -q
Use --report gitlab to produce a GitLab Code Quality JSON artifact. Upload it as a CI artifact and violations appear as inline annotations on every Merge Request โ no extra tools or plugins required.
error policy verdictswarn policy verdictspass dependencies are silently omitted--recursive for monorepo workspaceslicense-check: stage: test image: rust:latest script: - cargo install --git https://github.com/QuentinRob/license-checkr - license-checkr --report gitlab > gl-code-quality-report.json artifacts: reports: codequality: gl-code-quality-report.json
[ { "description": "Dependency 'some-gpl-lib@2.1.0'
uses license 'GPL-3.0' โ verdict: error", "check_name": "license-checkr/license-error", "severity": "blocker", "location": { "path": "Cargo.lock", "lines": {"begin": 1} } } ]
Start license-checkr mcp serve and connect it to any MCP-compatible AI agent. Claude Desktop, Cursor, and other tools can then audit your projects and look up package licenses on demand.
Two tools are exposed over stdio JSON-RPC โ no extra config needed.
{ "mcpServers": { "license-checkr": { "command": "license-checkr", "args": ["mcp", "serve"] } } }