go-licenses check "Forbidden" license in CI
go-licenses check walked your Go module graph and found a dependency whose license is classified Forbidden (or Restricted) by the tool's license type list, so it exited non-zero.
What this error means
go-licenses check prints the module path and its Forbidden/Restricted license and returns a non-zero exit. It resolves licenses from the module cache for the packages your build imports.
$ go-licenses check ./...
Forbidden license type GPL-3.0 for library github.com/example/gpl-lib
exit status 1Common causes
A dependency uses a Forbidden license class
go-licenses maps each license to a type (notice, permissive, reciprocal, restricted, forbidden). A dependency with a Forbidden or Restricted license fails check by design.
The imported package pulls in the offending module
check only evaluates packages actually imported by the given pattern, so a transitive import of the flagged module triggers the failure.
How to fix it
Report the licenses, then remove the offender
- Run
go-licenses report ./...to see every module and its license. - Identify the import path that pulls in the Forbidden module.
- Replace the dependency or drop the import so it leaves the build graph.
go-licenses report ./... | grep -i gpl
go-licenses check ./...Allow a vetted license explicitly
If legal has cleared a specific license type, pass --allowed_licenses so it no longer fails while the rest stays strict.
go-licenses check ./... \
--allowed_licenses=MIT,Apache-2.0,BSD-3-Clause,ISCHow to prevent it
- Run go-licenses check on the same package pattern your build uses.
- Keep an allowed_licenses list under review rather than loosening it broadly.
- Vet a module license before adding the import.