Automic VaultAutomic Vault

brew

Install licensefinder with Homebrew, Nix

Find licenses for your project's dependencies. Version 7.2.1 via Homebrew; verified 2026-06-22.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install licensefinder

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#license_finder

nixpkgs package indexes · pkgs/by-name/li/license_finder/package.nix · source: api.github.com

overview

Package summary

Find licenses for your project's dependencies

Commands and aliases

  • license_finder

history

Project history and usage

LicenseFinder is Pivotal's long-running Ruby CLI for finding dependency licenses, comparing them with approved policies, and reporting unapproved packages. It covers many project types by calling their native package managers rather than treating license scanning as a single-language problem.

Project history

The public repository was created on 2011-01-17. The README describes a tool that works with package managers to find dependencies, detect licenses, compare them with permitted licenses, and produce actionable exception reports.

The changelog records a broadening scope over time: support for Ruby, Node, Python, Java, Go, CocoaPods, Swift Package Manager, Rust Cargo, PHP Composer, Conda, Flutter, and other ecosystems appears across releases. Release 7.0.0 in 2022 added Ruby 3 support, Flutter scanning, and SPDX identifier reporting.

Adoption history

LicenseFinder spread through CLI, RubyGems, Homebrew, Docker, and pre-commit workflows. Its Docker image bundles package managers so CI jobs can scan mixed-language repositories without installing every ecosystem tool on the host.

How it is used

Users run license_finder after installing project dependencies. The tool records approvals and permitted licenses, exits non-zero for unapproved dependencies, and can run in CI to catch new dependency-license work items.

Why package nerds care

LicenseFinder is important to package people because it exposes the practical mess of license metadata: every package manager has different files, commands, and metadata conventions, so the tool's value is in its adapters and decision record as much as in license detection.

Timeline

  • 2011-01-17: GitHub repository created.
  • 2021-06-25: v6.14.1 changelog entry includes a command-injection fix for CocoaPods projects.
  • 2022-03-04: v7.0.0 adds Ruby 3 support, Flutter scanning, and SPDX identifier reporting.
  • 2022-11-28: v7.1.0 adds a pre-commit hook.
  • 2024-05-07: v7.2.0 adds Ruby 3.3 support and several package-manager compatibility updates.

Related projects

  • Related projects include package-manager license commands, SPDX identifiers, pre-commit, and license-policy tools such as Licensed.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
config/license_finder.ymldoc/dependency_decisions.yml

executables

Installed executables

CommandKindExposureNote
license_findercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version7.2.1
manager updated2026-06-22
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/pivotal/LicenseFinder

install metadata

Package metadata

Package keybrew:licensefinder
Version7.2.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/licensefinder
Homepagehttps://github.com/pivotal/LicenseFinder
Repositoryhttps://github.com/pivotal/LicenseFinder
Upstream docshttps://github.com/pivotal/LicenseFinder#readme
LicenseMIT
Source archivehttps://github.com/pivotal/LicenseFinder.git
Last updated2026-06-22T14:05:10-07:00
Pulseupdated
Dependenciesruby
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namelicensefinder
Version Scheme0
Revision1
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix92%

license_finder

nix profile install nixpkgs#license_finder
  • installed executable or alias match
  • Matched by: License Finder
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/li/license_finder/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment