Feluda

🔎 Feluda is a Rust-based command-line tool that analyzes the dependencies of a project, notes down their licenses, and flags any permissions that restrict personal or commercial usage or are incompatible with your project's license.

👋 It's still highly experimental, but fast iterating. Welcoming contributors and support to help bring out this project even better!

Installation

Official Distribution 🎉:

<details> <summary>Rust (Crate)</summary>

Prerequisites

• Rust installed on your system.

If you already had it, make sure it's up-to-date and update if needed. (Optional) Set rust path if not set already.

Install

cargo install feluda

</details> <details> <summary>DEB Package (Debian/Ubuntu/Pop! OS)</summary>

Feluda is available as a DEB package for Debian-based systems.

1. Download the latest .deb file from GitHub Releases
2. Install the package:

# Install the downloaded DEB package
sudo dpkg -i feluda_*.deb

# If there are dependency issues, fix them
sudo apt install -f

</details> <details> <summary>RPM Package (RHEL/Fedora/CentOS)</summary>

Feluda is available as an RPM package for Red Hat-based systems.

1. Download the latest .rpm file from GitHub Releases
2. Install the package:

# Install the downloaded RPM package
sudo rpm -ivh feluda_*.rpm

# Or using dnf (Fedora/newer RHEL)
sudo dnf install feluda_*.rpm

# Or using yum (older RHEL/CentOS)
sudo yum install feluda_*.rpm

</details>

Community Maintained 🙌:

<details> <summary>Homebrew (maintained by <a href="https://github.com/chenrui333" rel="noopener noreferrer">@chenrui333</a>)</summary>

feluda is available in the Homebrew. You can install it using brew:

brew install feluda

</details> <details> <summary>Arch Linux (maintained by <a href="https://github.com/adamperkowski" rel="noopener noreferrer">@adamperkowski</a>)</summary>

feluda is available in the AUR. You can install it using an AUR helper (e.g. paru):

paru -S feluda

</details> <details> <summary>NetBSD (maintained by <a href="https://github.com/0323pin" rel="noopener noreferrer">@0323pin</a>)</summary>

On NetBSD a package is available from the official repositories. To install it, simply run:

pkgin install feluda

</details>

Package Managers 📦:

Track releases on github releases or via release feed.

<details> <summary>Build from Source (advanced users)</summary>

Note: This might have experimental features which might not work as intended.

Clone and Build

First, clone the repository:

git clone https://github.com/anistark/feluda.git
cd feluda

Then, build the project using Cargo:

cargo build --release

Finally, to make feluda available globally, move the binary to a directory in your PATH. For example:

sudo mv target/release/feluda /usr/local/bin/

</details>

Usage

Feluda provides license analysis by default, with an additional command for generating compliance files. Analyze your project's dependencies and their licenses:

# Basic usage
feluda

# Specify a path to your project directory
feluda --path /path/to/project/

# Check with specific language
feluda --language {rust|node|go|python|c|cpp|r}

# Skip local file checks and force network lookup only
feluda --no-local

# Filter by OSI approval status
feluda --osi approved        # Show only OSI approved licenses
feluda --osi not-approved   # Show only non-OSI approved licenses
feluda --osi unknown        # Show licenses with unknown OSI status

Local License Detection

By default, Feluda checks local files first for license information before making network requests:

• Node.js: Checks LICENSE files in local node_modules (npm, pnpm, yarn, bun)
• Rust: Checks Cargo.toml manifests for license field

Use --no-local to skip local checks and force network-only license lookup.

License File Generation

Generate compliance files for legal requirements:

# Interactive file generation
feluda generate

# Generate for specific language and license
feluda generate --language rust --project-license MIT

# Generate for specific path
feluda generate --path /path/to/project/

SBOM Generation

Generate Software Bill of Materials (SBOM) for your project:

# Generate all supported SBOM formats (SPDX + CycloneDX)
feluda sbom

# Generate SPDX format SBOM only
feluda sbom spdx

# Generate SPDX format SBOM to file
feluda sbom spdx --output sbom.json

# Generate CycloneDX format SBOM only
feluda sbom cyclonedx

# Generate CycloneDX format SBOM to file
feluda sbom cyclonedx --output sbom.json

# Generate all formats with custom output
feluda sbom --output sbom-output

Supported SBOM Formats:

• SPDX 2.3 - Software Package Data Exchange format (JSON)
• CycloneDX - CycloneDX v1.5 format (JSON)

What's Included in SBOM:

• Package names and versions
• License information
• SPDX identifiers
• License compatibility flags
• Tool metadata and generation timestamp

Use Cases:

• 🔒 Security compliance - Track all dependencies for vulnerability management
• 📋 Supply chain transparency - Document your software's components
• 🏢 Enterprise requirements - Meet organizational SBOM mandates
• 🔍 Audit preparation - Provide comprehensive dependency documentation

SBOM Validation

Validate SBOM files to ensure they conform to the SPDX or CycloneDX specifications:

# Validate an SBOM file
feluda sbom validate spdx.json

# Validate and save the report to a file
feluda sbom validate spdx.json --output validation-report.txt

# Validate and output report in JSON format
feluda sbom validate spdx.json --json

# Validate and save JSON report to file
feluda sbom validate spdx.json --json --output validation-report.json

Cache Management

Feluda caches GitHub license data to improve performance on repeated runs:

# View cache status (size, age, health)
feluda cache

# Clear the cache
feluda cache --clear

How Caching Works:

• Cache is stored at .feluda/cache/github_licenses.json
• 30-day automatic expiration (cache is refreshed if older)
• Only licenses successfully fetched from GitHub API are cached
• Cache is automatically loaded on subsequent analysis runs
• Reduces GitHub API calls and improves analysis speed

GitHub API Authentication

Feluda uses the GitHub API to fetch license information. Unauthenticated requests are limited to 60 requests/hour, which may be insufficient for large projects or frequent scans.

Increase rate limits by providing a GitHub personal access token:

# Via command-line flag
feluda --github-token <your_token>

# Or via environment variable (recommended for CI/CD)
export GITHUB_TOKEN=<your_token>
feluda

Authenticated requests get 5,000 requests/hour. No special scopes are required for the token—public repository access is sufficient.

Run feluda on a github repo directly

feluda --repo <repository_url> [--ssh-key <key_path>] [--ssh-passphrase <passphrase>] [--token <https_token>]

<repository_url>: The URL of the Git repository to clone (e.g., git@github.com:user/repo.git or https://github.com/user/repo.git).

--ssh-key <key_path>: (Optional) Path to a private SSH key for authentication.

` --ssh-passphrase <passphrase>: (Optional) Pa