NewCurrent release: licence_audit 0.7.0Release notes

Gleam supply-chain auditing

Keep your Gleam dependencies honest.

licence_audit reports the licences, generates a CycloneDX SBOM, and checks for known vulnerabilities across your locked Hex dependencies — one small CLI you can run locally or in CI.

Terminal window
mise use -g "github:tylerbutler/licence_audit@latest[asset_pattern=licence_audit,bin=licence_audit]"
  • Gleam-native
  • CycloneDX 1.6
  • OSV.dev
  • Apache-2.0
licence_audit — check
$ licence_audit check
 PackageVersionLicencesStatusgleam_stdlib0.60.0Apache-2.0 allowed├─gleam_json3.1.0Apache-2.0 allowed├─gleam_http4.3.0Apache-2.0 allowed├─simplifile2.4.0MIT allowed├─argv1.1.0Apache-2.0 allowed├─cowsay_gpl1.2.0GPL-3.0-only denied├─tls_native0.5.0(none)? unknown└─local_helper· skipped  Policy check failed — denied dependency in tree.   1 denied · 1 unknown · 1 skipped · 5 allowed# licence_audit check exited 1

A real check run — it catches a denial, an unknown, and a skipped path dep.

Inspect, capture a policy, enforce.

Three commands, meant to be adopted in order: inspect what you have, capture a policy when you're ready, then enforce it in CI.

  1. 01

    Inspect

    Run it with no arguments to see every licence in your resolved tree. The bare command only reports — it never fails.

    Terminal window
    gleam deps download
    licence_audit
  2. 02

    Capture a policy

    Review the discovered licences interactively and write a [tools.licence_audit] policy straight into gleam.toml — comments preserved.

    Terminal window
    licence_audit update
  3. 03

    Enforce

    Fail the build on any violation. Add --vulns to also fail on advisories at or above a severity you choose.

    Terminal window
    licence_audit check --vulns

Three checks, one pass over your tree.

licence_audit reads your locked dependencies once and answers three questions about them, as plain terminal output you can read in a log.

licences

Licence policy

Fetches licence metadata from Hex for every locked package and holds it against your allow / deny policy. An allow-list means only those licences pass; a deny-list rejects matches.

gleam.toml
[tools.licence_audit]
allow = ["Apache-2.0", "ISC", "MIT"]
deny = ["AGPL-3.0", "GPL-3.0-only"]
sbom

CycloneDX SBOM

Emit a CycloneDX 1.6 document — package URLs, SHA-256 hashes, declared licences, external references, and the full dependency graph. Pass --reproducible for byte-stable output you can commit and diff.

sbom.json
{
"bom-ref": "pkg:hex/gleam_stdlib@0.60.0",
"type": "library",
"name": "gleam_stdlib",
"version": "0.60.0",
"purl": "pkg:hex/gleam_stdlib@0.60.0",
"licenses": [
{ "license": { "id": "Apache-2.0", "acknowledgement": "declared" } }
],
"hashes": [{ "alg": "SHA-256", "content": "3e2c…9f" }]
}
vulns

Known vulnerabilities

Query OSV.dev for advisories across your Hex and GitHub dependencies. Report them, or gate CI with --vuln-severity — unknown-severity advisories are shown but never fail the build.

Terminal window
$ licence_audit vulns
✗ tls_native 0.5.0
└─ GHSA-7f4c-9m2q-x8vp high DoS via malformed handshake
· legacy_helper skipped (path dep)
16 checked · 1 affected · 15 clean

Built to be trusted in CI.

licence_audit is a single binary with predictable exit codes and reproducible output. It runs quietly in a pipeline and reports only when a check fails.

.github/workflows/licence-audit.yml
name: licence audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: tylerbutler/actions/setup-gleam@v1
- uses: tylerbutler/actions/setup-licence-audit@v1
- run: licence_audit check
  • Dependency-free binary

    Queso-built executables bundle the Erlang runtime — nothing to install on the target machine, including CI runners.

  • Honest exit codes

    0 success · 1 policy failure · 2 input error · 130 cancelled. Nothing surprising in a pipeline.

  • Reproducible SBOMs

    --reproducible makes the serial number a content hash and the timestamp SOURCE_DATE_EPOCH, so diffs catch real drift.

  • Gleam-native

    Reads manifest.toml and gleam.toml directly. Non-Hex deps are skipped and named, never silently dropped.

Get started.

Install a prebuilt binary, then point it at any Gleam project with a resolved dependency tree.

Install with mise

Terminal window
mise use -g "github:tylerbutler/licence_audit@latest[asset_pattern=licence_audit,bin=licence_audit]"

Prefer a plain download? Grab a self-contained archive from thereleases page and putlicence_audit on your PATH. Building from source is covered in DEV.md.

The typical run

bash
# 1. resolve deps so manifest.toml exists
gleam deps download
# 2. see every licence in your tree (reports only)
licence_audit
# 3. capture a policy, then enforce it
licence_audit update
licence_audit check