Skip to content
Latchkey

go-licenses check "Forbidden" license in CI

go-licenses check walked your Go module graph and found a dependency whose license is classified Forbidden (or Restricted) by the tool's license type list, so it exited non-zero.

What this error means

go-licenses check prints the module path and its Forbidden/Restricted license and returns a non-zero exit. It resolves licenses from the module cache for the packages your build imports.

Terminal
$ go-licenses check ./...
Forbidden license type GPL-3.0 for library github.com/example/gpl-lib
exit status 1

Common causes

A dependency uses a Forbidden license class

go-licenses maps each license to a type (notice, permissive, reciprocal, restricted, forbidden). A dependency with a Forbidden or Restricted license fails check by design.

The imported package pulls in the offending module

check only evaluates packages actually imported by the given pattern, so a transitive import of the flagged module triggers the failure.

How to fix it

Report the licenses, then remove the offender

  1. Run go-licenses report ./... to see every module and its license.
  2. Identify the import path that pulls in the Forbidden module.
  3. Replace the dependency or drop the import so it leaves the build graph.
Terminal
go-licenses report ./... | grep -i gpl
go-licenses check ./...

Allow a vetted license explicitly

If legal has cleared a specific license type, pass --allowed_licenses so it no longer fails while the rest stays strict.

Terminal
go-licenses check ./... \
  --allowed_licenses=MIT,Apache-2.0,BSD-3-Clause,ISC

How to prevent it

  • Run go-licenses check on the same package pattern your build uses.
  • Keep an allowed_licenses list under review rather than loosening it broadly.
  • Vet a module license before adding the import.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →