PHPackages                             madewithlove/license-checker - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [CLI &amp; Console](/categories/cli)
4. /
5. madewithlove/license-checker

ActiveLibrary[CLI &amp; Console](/categories/cli)

madewithlove/license-checker
============================

CLI tool to verify allowed licenses for composer dependencies

3.1.0(3mo ago)54498.2k↓60.1%520MITPHPPHP ^8.4CI passing

Since Mar 10Pushed 1w ago6 watchersCompare

[ Source](https://github.com/madewithlove/license-checker-php)[ Packagist](https://packagist.org/packages/madewithlove/license-checker)[ RSS](/packages/madewithlove-license-checker/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (10)Dependencies (14)Versions (30)Used By (20)

CLI Licence checker for composer dependencies
=============================================

[](#cli-licence-checker-for-composer-dependencies)

This library offers a simple CLI tool to show the licenses used by composer dependencies in your project. These licenses can be verified against a list of allowed (or denied) licenses to offer a way for your continuous integration pipeline to block merging when a non-verified license is being introduced to the codebase.

Upgrading from 2.x
------------------

[](#upgrading-from-2x)

Version 3.x introduces a new structured configuration format. Run the migration command to upgrade:

```
vendor/bin/license-checker migrate-config --remove-old

```

This converts your `.allowed-licenses` file to the new `.license-checker.yml` format. See [full migration details](#migrating-from-2x) below.

Installation
------------

[](#installation)

Installing should be a breeze thanks to `composer`: Note that you need PHP 8.4 to install the latest version (3.x).

```
composer require madewithlove/license-checker

```

Configuration
-------------

[](#configuration)

Create a `.license-checker.yml` file in the root of your project (where `composer.json` is located).

### Allowlist mode

[](#allowlist-mode)

Only the listed licenses are permitted. Any dependency using a license not on this list will be flagged:

```
# .license-checker.yml
allowed:
  - MIT
  - BSD-3-Clause
  - Apache-2.0
```

### Denylist mode

[](#denylist-mode)

All licenses are permitted **except** the ones listed. Use this when you want to block specific licenses:

```
# .license-checker.yml
denied:
  - GPL-3.0
  - AGPL-3.0
```

> **Note:** `allowed` and `denied` are mutually exclusive — you must use one or the other, not both.

It's possible to use a custom configuration file by passing the `--filename` (or `-f`) option to the CLI commands.

Usage
-----

[](#usage)

These are the different CLI commands:

### Check licenses

[](#check-licenses)

```
vendor/bin/license-checker check

```

### List used licenses

[](#list-used-licenses)

```
vendor/bin/license-checker used

```

### List configured licenses

[](#list-configured-licenses)

Shows the configured allowed or denied licenses:

```
vendor/bin/license-checker list-config

```

### Count used licenses

[](#count-used-licenses)

```
vendor/bin/license-checker count

```

### Automatically generate configuration

[](#automatically-generate-configuration)

This command will automatically generate a `.license-checker.yml` configuration in allowlist mode based on the currently used licenses:

```
vendor/bin/license-checker generate-config

```

### Excluding development dependencies

[](#excluding-development-dependencies)

Passing the `--no-dev` option to the CLI commands will scope all checks to production dependencies only. Checking production and development dependencies against separate configuration files is possible by passing options:

```
vendor/bin/license-checker check --no-dev --filename .license-checker-production.yml
vendor/bin/license-checker check --filename .license-checker-including-dev.yml

```

### Output Formats (--format option)

[](#output-formats---format-option)

You can choose how license information is displayed — as a human-readable table (`text`), machine-readable JSON (`json`), or SARIF for GitHub Actions code scanning (`sarif`).

```
vendor/bin/license-checker check --format=json

```

```
{
    "laravel/framework": {
        "license": "MIT",
        "is_allowed": true
    },
    "phpunit/phpunit": {
        "license": "BSD-3-Clause",
        "is_allowed": false
    }
}
```

```
vendor/bin/license-checker check --format=text

```

```
✓  phpunit/phpunit [BSD-3-Clause]
✓  symfony/console [MIT]

```

By default, results are printed as human-readable text. Use `--format=json` for structured machine-readable output. Use `--format=sarif` to generate a SARIF report for GitHub Actions integration (see below).

GitHub Actions integration
--------------------------

[](#github-actions-integration)

The `--format=sarif` option outputs results in [SARIF 2.1.0](https://sarifweb.azurewebsites.net/) format, which GitHub can display as [code scanning alerts](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github) directly on pull requests.

Each root dependency that requires a disallowed license — either directly or through a transitive dependency — appears as a separate annotation pointing to your `composer.json`.

### Example workflow

[](#example-workflow)

```
# .github/workflows/license-check.yml
name: License check

on: [push, pull_request]

jobs:
  license-check:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # required to upload SARIF results
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: composer install --no-interaction --prefer-dist

      - name: Check licenses
        id: license-check
        run: vendor/bin/license-checker check --format=sarif > license-results.sarif
        continue-on-error: true

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: license-results.sarif
          category: license-checker

      - name: Fail if license violations found
        if: steps.license-check.outcome == 'failure'
        run: exit 1
```

> **Note:** `continue-on-error: true` ensures the SARIF upload always runs even when violations are found. The final step then checks the original outcome and fails the build, so violations still block the pipeline.

### SARIF output example

[](#sarif-output-example)

```
{
    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
    "version": "2.1.0",
    "runs": [
        {
            "tool": {
                "driver": {
                    "name": "license-checker",
                    "rules": [{ "id": "license-not-allowed" }]
                }
            },
            "results": [
                {
                    "ruleId": "license-not-allowed",
                    "level": "error",
                    "message": {
                        "text": "\"my/package\" requires \"bad/subdep\" which uses the disallowed license \"GPL-3.0\""
                    },
                    "locations": [
                        {
                            "physicalLocation": {
                                "artifactLocation": { "uri": "composer.json" }
                            },
                            "logicalLocations": [
                                { "name": "my/package", "kind": "package" }
                            ]
                        }
                    ]
                }
            ]
        }
    ]
}
```

Migrating from 2.x
------------------

[](#migrating-from-2x)

Version 3.x introduces a new structured configuration format. Here's what changed:

### Configuration file format

[](#configuration-file-format)

The old format was a plain YAML list in `.allowed-licenses`:

```
# OLD format (.allowed-licenses) — no longer supported
- MIT
- BSD-3-Clause
```

The new format uses a structured YAML file (`.license-checker.yml`) with an explicit `allowed` or `denied` key:

```
# NEW format (.license-checker.yml)
allowed:
  - MIT
  - BSD-3-Clause
```

### Automatic migration

[](#automatic-migration)

Use the `migrate-config` command to convert your old configuration:

```
vendor/bin/license-checker migrate-config

```

This reads `.allowed-licenses` and writes `.license-checker.yml` with the `allowed:` key.

To also remove the old file:

```
vendor/bin/license-checker migrate-config --remove-old

```

### Renamed commands

[](#renamed-commands)

2.x3.x`allowed``list-config`### Other breaking changes

[](#other-breaking-changes)

- Minimum PHP version is now 8.4 (was 8.3)
- Minimum Symfony version is now 7.4 (was 4.0)

###  Health Score

68

—

FairBetter than 99% of packages

Maintenance91

Actively maintained with recent releases

Popularity49

Moderate usage in the ecosystem

Community31

Small or concentrated contributor base

Maturity85

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 77.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~100 days

Recently: every ~84 days

Total

23

Last Release

99d ago

Major Versions

v0.10.0 → v1.02021-02-10

v1.6 → v2.02025-04-25

v2.1 → v3.0.02026-03-19

PHP version history (4 changes)v1.0PHP ^8.0

v1.4PHP ^8.1

v2.0PHP ^8.3

v3.0.0PHP ^8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/df052a58ecfa5a07fd2b4cb12bb128ab28ff4b8e82fb0831eab81623b898ddb4?d=identicon)[madewithlove-machine-user](/maintainers/madewithlove-machine-user)

---

Top Contributors

[![jdrieghe](https://avatars.githubusercontent.com/u/12606789?v=4)](https://github.com/jdrieghe "jdrieghe (233 commits)")[![WouterSioen](https://avatars.githubusercontent.com/u/1398405?v=4)](https://github.com/WouterSioen "WouterSioen (41 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (9 commits)")[![peterpacket](https://avatars.githubusercontent.com/u/5574437?v=4)](https://github.com/peterpacket "peterpacket (8 commits)")[![ishifoev](https://avatars.githubusercontent.com/u/34019391?v=4)](https://github.com/ishifoev "ishifoev (6 commits)")[![ramsey](https://avatars.githubusercontent.com/u/42941?v=4)](https://github.com/ramsey "ramsey (2 commits)")[![saulens22](https://avatars.githubusercontent.com/u/9000854?v=4)](https://github.com/saulens22 "saulens22 (2 commits)")[![hosni](https://avatars.githubusercontent.com/u/47793698?v=4)](https://github.com/hosni "hosni (1 commits)")

---

Tags

clicomposerhacktoberfestlicenselicense-managementphp

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan, Psalm

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/madewithlove-license-checker/health.svg)

```
[![Health](https://phpackages.com/badges/madewithlove-license-checker/health.svg)](https://phpackages.com/packages/madewithlove-license-checker)
```

###  Alternatives

[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[jolicode/castor

A lightweight and modern task runner. Automate everything. In PHP.

54743.1k4](/packages/jolicode-castor)[drupal/core

Drupal is an open source content management platform powering millions of websites and applications.

21866.0M1.7k](/packages/drupal-core)[drupal/core-recommended

Locked core dependencies; require this project INSTEAD OF drupal/core.

6942.5M421](/packages/drupal-core-recommended)[kimai/kimai

Kimai - Time Tracking

4.8k9.0k1](/packages/kimai-kimai)[shopware/core

Shopware platform is the core for all Shopware ecommerce products.

585.6M574](/packages/shopware-core)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
