PermitCheck supports two configuration formats: YAML and TOML.
PermitCheck looks for configuration in the following locations (in order):
permitcheck.yaml.permitcheck.yamlpermitcheck.ymlpyproject.toml(in[licenses]section)
Create a permitcheck.yaml in your project root:
allowed_licenses:
- MIT
- Apache-2.0
- BSD-3-Clause
- ISC
- BSD-2-Clause
trigger_error_licenses:
- GPL-3.0
- GPL-2.0
- AGPL-3.0
- Proprietary
- Unknown
skip_libraries:
- my-internal-package
- legacy-dependencyAdd to your pyproject.toml:
[licenses]
allowed = [
"MIT",
"Apache-2.0",
"BSD-3-Clause",
"ISC",
]
trigger_error = [
"GPL-3.0",
"AGPL-3.0",
"Proprietary",
"Unknown",
]
skip_libraries = [
"internal-package",
]List of licenses that are approved for use in your project.
Examples:
MITApache-2.0BSD-3-ClauseISCPSF-2.0(Python Software Foundation)
SPDX Support: PermitCheck recognizes SPDX license identifiers and handles complex expressions:
MIT OR Apache-2.0- Either license is acceptableGPL-2.0+- GPL 2.0 or later versionsApache-2.0 WITH LLVM-exception- License with exceptions
Licenses that will cause the validation to fail.
Common Restrictive Licenses:
GPL-3.0- GNU General Public License v3GPL-2.0- GNU General Public License v2AGPL-3.0- GNU Affero General Public LicenseProprietary- Proprietary/commercial licensesUnknown- Unidentified licenses
Why Trigger Errors?
- Legal compliance requirements
- Incompatibility with your project's license
- Corporate policy restrictions
- Distribution limitations
Dependencies to skip during license checking.
Use Cases:
- Internal/private packages
- Development-only tools
- Legacy dependencies under review
- Packages with complex licensing
Example:
skip_libraries:
- my-company-internal
- legacy-package-under-review
- test-utilityPermitCheck validates your configuration and will warn about:
- Conflicts: A license in both
allowedandtrigger_error - Empty Policy: No licenses defined
- Invalid SPDX: Malformed license expressions
For projects that accept most permissive licenses:
allowed_licenses:
- MIT
- Apache-2.0
- BSD-3-Clause
- BSD-2-Clause
- ISC
- 0BSD
- Unlicense
trigger_error_licenses:
- GPL-3.0
- GPL-2.0
- AGPL-3.0
- LGPL-3.0
- LGPL-2.1For commercial projects with strict requirements:
allowed_licenses:
- MIT
- Apache-2.0
- BSD-3-Clause
trigger_error_licenses:
- GPL-3.0
- GPL-2.0
- AGPL-3.0
- LGPL-3.0
- LGPL-2.1
- MPL-2.0
- EPL-2.0
- CDDL-1.0
- Proprietary
- UnknownFor GPL-licensed projects:
allowed_licenses:
- GPL-3.0
- GPL-2.0
- LGPL-3.0
- LGPL-2.1
- MIT
- Apache-2.0
- BSD-3-Clause
- BSD-2-Clause
trigger_error_licenses:
- Proprietary
- UnknownYou can use different configurations for different environments:
# Development (more permissive)
permitcheck -l python --config permitcheck-dev.yaml
# Production (strict)
permitcheck -l python --config permitcheck-prod.yamlPermitCheck caches license information to speed up scans:
# Clear cache
permitcheck --clear-cache
# Disable cache for single run
permitcheck -l python --no-cacheCache Location:
- Linux/macOS:
~/.permitcheck/cache/ - Windows:
%USERPROFILE%\.permitcheck\cache\
- Start Permissive: Begin with a broader set of allowed licenses and narrow down based on requirements
- Regular Reviews: Update your policy as dependencies change
- Document Exceptions: Comment why certain libraries are skipped
- Version Control: Commit your configuration to track policy changes
- Team Alignment: Ensure all team members understand the license policy
- Explore Output Formats
- Set up CI/CD Integration
- Read API Reference