Safeguard.sh Documentation Center

License Compliance

Detect, classify, and enforce open-source license policies across code, containers, and vendor SBOMs.

License Compliance

Open-source license obligations are as real as security obligations. A copyleft license in the wrong place can force you to open-source proprietary code, lose a deal, or fail due diligence. Safeguard identifies every component's license, classifies its obligations, and enforces your license policy at every point in the lifecycle.

License Detection

Safeguard identifies licenses from multiple sources with reconciliation:

  • Package metadatalicense field in package.json, pyproject.toml, Cargo.toml, <licenses> in Maven POMs, etc.
  • SPDX identifiers — recognized per the SPDX license list.
  • Full-text matching — scans LICENSE, LICENCE, COPYING, NOTICE files and matches against known license texts.
  • Header detection — reads source file headers for license declarations.
  • Binary extraction — parses /usr/share/doc/*/copyright in container layers and embedded license strings.

When signals disagree (package.json says MIT but LICENSE file is AGPL), Safeguard raises a license-discrepancy finding — typically the sign of a packaging mistake or license relabeling.

Classifications

Every license is classified by obligation category:

CategoryExamplesRisk
PermissiveMIT, BSD-2/3, Apache-2.0, ISCLow
Weak copyleftMPL-2.0, LGPL-2.1, LGPL-3.0, EPL-2.0Medium
Strong copyleftGPL-2.0, GPL-3.0High for proprietary products
Network copyleftAGPL-3.0, SSPL-1.0High for SaaS
Commercial / proprietaryCustom, vendor-specificDepends
Public domain / dedicationCC0-1.0, UnlicenseLow
Unknown / unidentifiedReview required

Classifications include deep-linked explanations of obligations (attribution, source disclosure, patent grants, etc.).

License Policies

Declare your allow / deny policy in YAML:

apiVersion: safeguard.sh/v1
kind: LicensePolicy
metadata:
  name: default
spec:
  allow:
    - MIT
    - BSD-2-Clause
    - BSD-3-Clause
    - Apache-2.0
    - ISC
    - MPL-2.0
  deny:
    - GPL-3.0-or-later
    - AGPL-3.0-or-later
    - SSPL-1.0
  require_review:
    - GPL-2.0-only
    - LGPL-3.0-or-later
    - "Custom/*"
  context_overrides:
    - apply_to: { env: sdk }
      deny:
        - LGPL-3.0-or-later     # LGPL tricky in SDK distribution
    - apply_to: { env: server }
      allow:
        - LGPL-3.0-or-later     # fine for a service binary

Policies can be scoped to asset labels — a policy for your open-core distribution can differ from your SaaS backend.

Enforcement

License policies plug into Guardrails:

  • At CI time — builds fail if a denied license appears in the dependency tree.
  • At admission — images containing denied licenses can't deploy to production.
  • At PR time — a new direct dependency with a deny-listed license gets a blocking Safeguard check.

Findings show the transitive path for quick triage.

Attribution Generation

For redistributed artifacts, Safeguard auto-generates:

  • NOTICE / THIRD-PARTY-NOTICES.txt with required attributions.
  • licenses/ directory with copies of each required license text.
  • A machine-readable SPDX document for each release.
safeguard license generate-notice \
  --sbom ./sbom.cdx.json \
  --out ./THIRD-PARTY-NOTICES.txt

Generation is deterministic — run it in CI and fail if the generated file differs from the committed one.

Vendor SBOM License Analysis

For vendor software, Safeguard runs the same classification on the vendor's SBOM:

  • Are their licenses compatible with your product?
  • Does any component in their SBOM trigger a deny-listed license for you?
  • Has license set changed between versions (a sign of unexpected re-licensing)?

This flows into TPRM assessments automatically.

Dual-Licensed and Compound Expressions

Safeguard understands full SPDX expression syntax:

  • MIT OR Apache-2.0 — dual-licensed, pick one.
  • (MIT AND Apache-2.0) — compound; both apply.
  • GPL-2.0-only WITH Classpath-exception-2.0 — with exception.

Policies evaluate correctly against expressions; for OR, the most permissive option that matches your policy is chosen automatically.

Exceptions

Temporary license exceptions follow the same exception workflow as vulnerability exceptions:

  • Named approver.
  • Expiry date.
  • Documented business justification.
  • Auto-expire and re-evaluate at expiry.

Reports

The Licenses dashboard shows:

  • License distribution across your fleet.
  • New-license introductions over time (new obligations adopted).
  • Policy violation count and trend.
  • Per-asset license manifest for export (Excel, CSV, SPDX, CycloneDX).

API

safeguard licenses list --project my-api
safeguard licenses report --project my-api --format spdx > report.spdx.json
safeguard licenses policy evaluate --policy default.yaml --sbom sbom.cdx.json

Secrets Scanning

Find leaked credentials, API keys, and tokens in source code, container images, Git history, and vendor SBOMs.

Attestation & Signing

SLSA provenance, Sigstore signing, in-toto attestations, and SBOM attestation — how Safeguard produces and verifies signed evidence.

On this page

License ComplianceLicense DetectionClassificationsLicense PoliciesEnforcementAttribution GenerationVendor SBOM License AnalysisDual-Licensed and Compound ExpressionsExceptionsReportsAPIRelated