license-compliance
Safeguard articles tagged "license-compliance" — guides, analysis, and best practices for software supply chain and application security.
58 articles
SPDX
What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.
Open Source Security Management: From Policy to Pipeline
A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.
What is a Software License
A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.
What is License Scanning
License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.
Open Source Risk Management: Beyond Vulnerability Scanning
Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.
Best open source software composition analysis (SCA) tools
A practical comparison of the best open source SCA tools — vulnerability coverage, license scanning, and CI/CD fit — with honest strengths and limitations for each.
Best open source license compliance tools
A practical comparison of open source license compliance tools—FOSSA, Mend, Black Duck, Snyk, and more—covering detection accuracy, policy engines, and SBOM support.
Automating Open Source License Compliance: From Manual Audits to Continuous Enforcement
Manual license audits cannot keep pace with modern dependency trees. Automated license detection, policy enforcement, and compliance documentation turn a legal bottleneck into a developer workflow.
Best open source audit tools for M&A due diligence
A practical buyer's guide to open source audit tools for M&A due diligence, comparing ScanCode, FOSSology, ORT, Syft/Grype, FOSSA, and Black Duck.
How to Set Up Dependency Review on GitHub Pull Requests
GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.
How Snyk's open-source license compliance engine classifi...
How Snyk's license compliance engine groups open-source licenses and maps them to low, medium, high, and critical severity levels.
How Snyk's default license policy is structured and how t...
How Snyk structures its default license policy—severity tiers, unknown-license handling, and PR enforcement—and the concrete steps to customize it for your org.