Safeguard.sh
← Concepts & Glossary
Inventory & Provenance

SPDX

The other standard SBOM format — ISO-approved and license-focused.

What is SPDX?

SPDX (Software Package Data Exchange) is an open SBOM standard hosted by the Linux Foundation. It was originally designed to let organisations exchange precise, unambiguous information about the licenses of open-source components — and has since expanded to describe packages, files, snippets, relationships, and security metadata.

In 2021, SPDX became an international standard: ISO/IEC 5962. That makes it the only SBOM format with formal ISO approval, which matters in highly regulated procurement processes and for jurisdictions that require ISO-aligned artifacts.

How it works

SPDX documents can be expressed as JSON, YAML, RDF, or tag-value text. Every document has:

  1. Packages and files. Each component is a Package; optionally you can go down to individual files with hashes and their own license findings. This fine granularity is where SPDX's compliance heritage shows — auditors can trace a license claim to a specific file.
  2. License identifiers. SPDX maintains the canonical short-identifier list that nearly every tool uses (MIT, Apache-2.0, GPL-3.0-or-later). License expressions can be combined with boolean operators for complex dual-licensed cases.
  3. Relationships. A rich relationship model (DEPENDS_ON, CONTAINS, STATIC_LINK, DERIVED_FROM, and dozens more) lets the document describe exactly how components relate, which is essential for copyleft analysis.

Why it matters

If the primary question is "what are we shipping and under which licenses?" — SPDX is the format with the deepest answer. Its file-level precision is often demanded by OSPO (open-source program office) workflows, M&A code audits, and sectors where license violations create material liability.

SPDX is also the format specified alongside CycloneDX in US Executive Order 14028 guidance and is accepted by the EU Cyber Resilience Act reporting regime, so producing both is table stakes for global software vendors.

What value it adds

  • ISO/IEC 5962 status

    The only formally-standardised SBOM format — reduces friction in procurement requiring ISO-aligned documentation.

  • File-level license precision

    Component-plus-file granularity catches mixed-license edge cases that package-level tools miss entirely.

  • Canonical license identifiers

    The SPDX License List is the industry source of truth; every serious license scanner speaks SPDX short-IDs.

  • Rich relationship model

    Dynamic vs static linkage, derivation, containment — the distinctions that matter for copyleft obligations are first-class.

  • Stable, conservative spec

    Changes slowly and carefully, which downstream consumers (especially auditors and legal teams) appreciate.

How Safeguard uses it

Safeguard emits SPDX 2.3 (and, on request, SPDX 3.0) alongside CycloneDX for every scanned artifact. The SPDX export is the default when customers send SBOMs to regulators, OSPO platforms, or into compliance workflows that expect ISO/IEC 5962 provenance.

Comply With Global Regulations →CycloneDX →Asset Discovery →

Produce SPDX that passes audit.

Safeguard's SPDX output is ISO/IEC 5962-conformant, signed, and generated automatically for every repo, image, and release.

Book a walkthroughBrowse all concepts