Reference¶
Keep this dossier handy when you need definitive answers about Feluda’s flags, troubleshooting steps, and terminology.
CLI flag table¶
Use this table to double-check flag behavior before scripting.
Flag / Command |
Purpose |
Notes |
|---|---|---|
|
Scan a different directory. |
Accepts relative or absolute paths. |
|
Clone and scan a remote repository. |
Combine with |
|
Limit analysis to one ecosystem. |
Useful for monorepos or staged reviews. |
|
Filter by OSI approval status. |
Requires verbose, JSON, YAML, or GUI modes to display OSI columns clearly. |
|
Show only restrictive or incompatible dependencies. |
Relies on the restrictive list and compatibility matrix described in Configuration. |
|
Evaluate compatibility against a declared license. |
Supports MIT, Apache-2.0, GPL variants, MPL-2.0, BSD variants, ISC, 0BSD, Unlicense, WTFPL, and more. |
|
Exit non-zero when risky findings exist. |
Ideal for CI as in Integrations. |
|
Skip local manifests and fetch data remotely. |
Helpful when manifests are incomplete or stale. |
|
Pass a GitHub token inline. |
Overridden by |
|
Inspect or delete the GitHub license cache. |
Default cache path: |
|
Switch output format. |
JSON/YAML suit automation; gist prints a one-liner. |
|
Enrich the terminal display. |
GUI launches a TUI; verbose adds OSI/compatibility columns. |
|
Save text output to a file. |
Works with any format flag. |
|
Emit annotations suited to CI platforms. |
|
|
Enable debug mode with detailed logging. |
Useful for troubleshooting detection issues. |
|
Enable strict mode for license parsing. |
Treats unknown licenses as incompatible. |
|
Generate NOTICE and THIRD_PARTY_LICENSES files. |
Accepts |
|
Generate SBOM in SPDX 2.3 or CycloneDX v1.5 format. |
Omit format to generate both; use |
|
Validate an SBOM file against its specification. |
Supports |
Need configuration guidance?¶
Looking to adjust restrictive lists, dependency ignores, compatibility matrices, or environment overrides? Jump to Configuration for detailed instructions, code snippets, and validation tips before you rerun Feluda.
Troubleshooting¶
Important
Feluda stores fetched licenses in .feluda/cache/github_licenses.json. Delete it via feluda cache --clear if you change tokens or suspect corruption.
GitHub rate limits: Without authentication you receive only 60 requests/hour. Set
GITHUB_TOKENas shown above and confirm the cache displays the higher limit viafeluda cache.Cache location: When diagnosing mismatched data, double-check the timestamps printed by
feluda cacheto ensure the entries are fresh.CI formatting: If annotations fail to appear in GitHub or Jenkins, confirm the job uses
feluda --ci-formatwith the correct platform specified.Remote scans: Ensure CI runners have access to SSH keys or HTTPS tokens before invoking
feluda --repoto avoid authentication prompts.
Glossary¶
Permissive license: MIT, Apache-2.0, BSD, ISC, or similarly lenient licenses that allow broad redistribution.
Restrictive license: GPL variants, AGPL, LGPL, MPL-2.0, EPL-2.0, CC-BY-SA-4.0, or any identifier listed under
[licenses.restrictive].Compatibility matrix: The rules stored in
config/license_compatibility.tomlthat determine whether dependency licenses mix safely with your project’s license.NOTICE file: Concise attribution summary generated via
feluda generate.THIRD_PARTY_LICENSES file: Full license-text compendium also produced by
feluda generate.SBOM: Software Bill of Materials containing dependency, license, and metadata exported via
feluda sbom.
Contributor resources¶
Review
CONTRIBUTING.mdin the repository root for code-style, testing, and submission expectations.Study
ACTION-README.mdfor advanced GitHub Action usage, especially when combiningupdate-badgewith GitHub Actions.Check
config/license_compatibility.tomlif you need to suggest compatibility changes; open a pull request with legal input.Explore
examples/to see sample outputs that mirrorfeluda --jsonandfeluda sbomresults.