Safeguard
Tag

license-compliance

Safeguard articles tagged "license-compliance" — guides, analysis, and best practices for software supply chain and application security.

58 articles

Software Supply Chain Security

SPDX

What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.

Mar 3, 20267 min read
Supply Chain

Open Source Security Management: From Policy to Pipeline

A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.

Feb 12, 20265 min read
Open Source Security

What is a Software License

A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.

Feb 9, 20269 min read
Open Source Security

What is License Scanning

License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.

Feb 4, 20266 min read
Open Source

Open Source Risk Management: Beyond Vulnerability Scanning

Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.

Jan 5, 20263 min read
Buyer's Guides

Best open source software composition analysis (SCA) tools

A practical comparison of the best open source SCA tools — vulnerability coverage, license scanning, and CI/CD fit — with honest strengths and limitations for each.

Nov 17, 20258 min read
Buyer's Guides

Best open source license compliance tools

A practical comparison of open source license compliance tools—FOSSA, Mend, Black Duck, Snyk, and more—covering detection accuracy, policy engines, and SBOM support.

Nov 14, 20258 min read
Compliance

Automating Open Source License Compliance: From Manual Audits to Continuous Enforcement

Manual license audits cannot keep pace with modern dependency trees. Automated license detection, policy enforcement, and compliance documentation turn a legal bottleneck into a developer workflow.

Nov 8, 20258 min read
Buyer's Guides

Best open source audit tools for M&A due diligence

A practical buyer's guide to open source audit tools for M&A due diligence, comparing ScanCode, FOSSology, ORT, Syft/Grype, FOSSA, and Black Duck.

Nov 5, 20258 min read
Guides

How to Set Up Dependency Review on GitHub Pull Requests

GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.

Sep 17, 20255 min read
Compliance

How Snyk's open-source license compliance engine classifi...

How Snyk's license compliance engine groups open-source licenses and maps them to low, medium, high, and critical severity levels.

Aug 25, 20257 min read
Open Source Security

How Snyk's default license policy is structured and how t...

How Snyk structures its default license policy—severity tiers, unknown-license handling, and PR enforcement—and the concrete steps to customize it for your org.

Aug 24, 20257 min read
license-compliance (Page 3) — Safeguard Blog