Safeguard
SBOM & Compliance

Open Source License Compliance: Automating License Risk R...

Manual license audits miss GPL contamination and copyleft traps. Here's how automated license risk reports work, and how Safeguard stacks up against Endor Labs.

Marina Petrov
Compliance Analyst
7 min read

Open source components now make up 70-90% of the average application codebase, and every one of them arrives with a license attached — MIT, Apache 2.0, GPL, AGPL, MPL, or something more obscure buried three transitive dependencies deep. When a legal team asks "are we compliant?", most engineering orgs still answer with a shrug, a stale spreadsheet, or a manual pip licenses dump nobody has refreshed since the last funding round. That gap becomes a real liability the moment an M&A due diligence process, an enterprise procurement questionnaire, or a compliance audit surfaces a copyleft license buried in a build dependency. Endor Labs has built part of its pitch around solving this with dependency-level license classification. This post breaks down what automated license risk reporting actually needs to do — SBOM-driven scanning, obligation classification, policy gating, and remediation guidance — and where Safeguard's approach fits for teams that want compliance evidence without a dedicated headcount to produce it.

What Makes Open Source License Compliance Hard to Automate?

The core difficulty is that license risk isn't a single fact about a package — it's a function of how you use it, and that context rarely exists in machine-readable form. A package published under Apache 2.0 is low-risk in isolation, but if you statically link it into proprietary firmware, or if it's actually dual-licensed and your build pulls the GPLv3 variant by default (this happens with packages like readline and some FFmpeg builds), the risk profile flips. On top of that, license metadata in package registries is frequently wrong or missing: a 2023 audit-tooling study found that roughly 15-20% of npm and PyPI packages either declare no license field or declare one that conflicts with the actual LICENSE file in the repo. Transitive dependencies compound the problem — a typical Node.js project with 30 direct dependencies commonly resolves to 800-1,200 transitive packages, and any one of them can carry an AGPL-3.0 or SSPL license that triggers copyleft obligations for the whole distributed artifact. Manual review at that scale simply doesn't scale.

How Do License Risk Reports Actually Get Generated?

License risk reports get generated by pairing SBOM generation with a license classification and obligation-mapping engine, then running the result against an org-specific policy. The pipeline looks like this in practice: first, generate a CycloneDX or SPDX SBOM at build time (not from source scanning alone, since that misses containerized and vendored dependencies); second, resolve declared-vs-detected license for every component, because declared metadata and the actual license text disagree often enough to matter; third, classify each license into a risk tier — permissive (MIT, BSD, Apache-2.0), weak copyleft (LGPL, MPL-2.0), strong copyleft (GPL-3.0, AGPL-3.0), or non-OSI/commercial-restricted (SSPL, BUSL); fourth, map detected obligations (attribution, source disclosure, network-copyleft triggers) against how the component is actually consumed. Endor Labs' license capability leans on its dependency reachability graph to add a "is this code path actually called" layer on top of the classification, which is a genuinely useful signal for prioritization — it's the difference between a GPL utility sitting unused in a dev-only test harness versus one compiled into your shipped binary.

Why Did GPL and AGPL Suddenly Become a Board-Level Concern?

AGPL and SSPL exposure became a board-level concern because SaaS companies got burned by "network copyleft" clauses they didn't know applied to hosted software. AGPL-3.0, published in 2007, closed the "ASP loophole" in GPL by requiring source disclosure even when software is only offered as a network service rather than distributed — meaning a company that embeds an AGPL-licensed library in its backend can be obligated to release modifications to its entire connected codebase, not just the library. MongoDB's 2018 switch to SSPL (in response to cloud providers reselling MongoDB-as-a-service without contributing back) and Elastic's 2021 license change away from Apache 2.0 both put this exact issue in front of procurement and legal teams overnight: software that was "safe" under one license became a redistribution risk under the next release. Enterprise buyers now routinely ask vendors for a full license inventory during security questionnaires (this shows up in SIG Lite and CAIQ assessments), and a single AGPL component discovered late in a due diligence cycle has delayed at least one publicly reported acquisition in the software sector. The lesson: license risk isn't static — a dependency's license can change on you between minor version bumps, and a compliance report generated six months ago is not evidence of anything today.

What Should an Automated License Compliance Policy Actually Enforce?

An effective policy enforces license risk gates at the same point pull requests and builds already get gated for vulnerabilities — not as a quarterly legal review. Concretely, that means: blocking merges that introduce a new strong-copyleft (GPL-3.0, AGPL-3.0) or non-OSI-approved license without an explicit legal exception; flagging (not necessarily blocking) weak-copyleft additions like LGPL-2.1 or MPL-2.0 for review, since these are usually fine but depend on linking method; requiring attribution-obligation tracking for permissive licenses that mandate notice files (BSD-3-Clause, Apache-2.0's NOTICE requirement) so you don't ship a product missing required copyright notices; and re-evaluating every component on every build, because a package can relicense between versions — Chef did this in 2019, moving from Apache 2.0 to a proprietary license overnight, and any org still ingesting Chef cookbooks without re-scanning would have shipped a policy violation without a single line of their own code changing. This is where policy-as-code matters more than a one-time audit: a report generated at release time in Q1 tells you nothing about the dependency your team upgraded in Q3.

Can You Get Full License Coverage Without a Dedicated Compliance Team?

Yes, but only if the tooling handles resolution and classification automatically rather than requiring someone to manually tag each of the 800+ transitive dependencies in a typical build. The manual alternative — a spreadsheet updated by whoever remembers to run license-checker before a release — has an obvious failure mode: it goes stale within one sprint, and nobody notices until an auditor or acquirer asks for it. Endor Labs and comparable platforms address this by tying license data into the same SBOM and dependency graph they already maintain for vulnerability management, so license classification is a byproduct of infrastructure you're running anyway rather than a separate workstream. The realistic bar for "full coverage without a dedicated team" is: SBOMs generated on every build (not on-demand), license data refreshed on every dependency change (not quarterly), and policy violations surfaced in the PR where they're introduced (not in a report three release cycles later). Teams that hit all three typically report going from multi-day manual license audits before a compliance milestone to near-zero manual effort, because the report already exists and is already current.

How Safeguard Helps

Safeguard treats license compliance as a continuous property of your software supply chain rather than a point-in-time report. Every SBOM Safeguard generates — at build time, from container images, and from source — carries resolved license data for direct and transitive dependencies, cross-checked against actual license text rather than trusting registry metadata alone, which catches the 15-20% of packages where declared and actual licenses diverge. Safeguard's policy engine lets teams codify exactly the kind of tiered gating described above: block strong-copyleft and non-OSI licenses at the PR stage, flag weak-copyleft for review, and track attribution obligations automatically, all enforced in CI before code merges rather than discovered during an acquisition's due diligence window. Because license data lives in the same continuously-updated SBOM used for vulnerability and provenance tracking, a relicensing event like Chef's 2019 shift or a newly-introduced AGPL transitive dependency gets flagged the moment it enters a build, not the next time someone remembers to run an audit. For teams evaluating Endor Labs specifically, the comparison usually comes down to whether license compliance is a bolt-on report or a native part of the same pipeline already producing your SBOMs and vulnerability findings — Safeguard is built around the latter, so the license risk report you hand to legal or a prospective acquirer is always the same data your engineers are already gated on, with no reconciliation step in between.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.