License Compliance Checker

Quick Start

bashpip install license-compliance-checker

python# Scan a project for license violations
lcc scan . --policy eu_ai_act --format json

# Scan with transitive dependency analysis (requires lock file)
lcc scan . --include-transitive --policy permissive

# Detect AI model licenses referenced in code
lcc scan . --format sarif --output report.sarif

Features

• Detects AI model license references in Python/YAML/JSON code (from_pretrained, model=, etc.)
• Scans GGUF and ONNX files — covers Ollama and llama.cpp model formats
• Multi-ecosystem: Python, Node.js, Go, Rust, Ruby, Java, .NET, HuggingFace
• AI license registry: RAIL, OpenRAIL, Llama, Gemma, Mistral, BigScience and more
• Dataset risk registry: flags OpenAI API outputs, ShareGPT, Books3 as high/critical risk
• EU AI Act Article 53 assessor with honest scope framing
• SBOM export: CycloneDX and SPDX formats
• FastAPI server + CLI + JSON/SARIF/CSV report formats

EU AI Act Context

Known Limitations

• HuggingFace Hub API scanning requires referenced models (not local downloads only).
• SPDX AND/OR compound expressions flagged for manual review — not auto-resolved.
• Transitive dependency resolution requires a lock file (poetry.lock, package-lock.json).
• Article 53 assessment covers documentation completeness only — not a legal compliance determination.
• Training data risk registry covers top-50 known datasets; unknown datasets flagged for review.

For the most current status, see GitHub issues.

Contributing

Contributions are welcome — Apache 2.0 licensed. See the contributing guide and open issues.

License

Licensed under the Apache License 2.0.