How to Surface License Violations in GitHub Advanced Security with feluda

If you've ever had a GPL dependency sneak into a commercial project, you know the drill. License violations don't fail your tests. They don't break your build. They just sit there quietly until your lawyer finds them six months later, and suddenly everyone is having a very bad week.

Let's fix that. This post shows how to surface those violations as real security findings inside GitHub Advanced Security, using feluda's SARIF output. Think CVEs and secret leaks, but for licenses. Same dashboard, same severity levels, no extra plugins.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is an OASIS standard for shuttling results between static analysis tools and the things that consume them. GitHub Advanced Security speaks it natively. Upload a .sarif file as a workflow artifact and GitHub turns each result into an alert in the Security > Code scanning tab. It's a surprisingly clean integration for something that used to need a pile of glue.

Refer to SARIF Specs for details.