Find The AGPL Before Legal Does.
SPDX-aware scanning across every dependency in every repo. Policy-driven gates that block copyleft licences from closed-source products. Audit packets that legal can read without translation. M&A diligence ready on a day's notice.
Licence Surprises Always Land At The Worst Time.
An AGPL transitive dependency hides in the build for two years. Diligence counsel finds it the week before close. The deal price moves or the term sheet adds a remediation rider. The engineering team owns the consequences either way.
Lock-files lie by omission — they list the package but not its current licence. Transitive deps add licences the direct list never mentioned. Multi-licensed packages pick a variant per language ecosystem. The standard spreadsheet workflow collapses under any of these conditions.
Safeguard's scanner-suite reads the artefact, resolves the SPDX identifier from the package text (not just metadata), evaluates against a versioned policy repo, and produces an audit packet — every time the dependency graph changes.
Metadata Is Not Truth
package.json says MIT; the LICENSE file in the tarball says GPL-3.0-only. Metadata scanners stop at one; the artefact scanner reads both and reconciles.
Transitive Sprawl Is Invisible
Your direct list has 90 packages. The transitive closure has 4,200. A single AGPL hop inside a 7-deep transitive chain ships unnoticed until diligence.
Multi-Licence Pickers Are Hard
Many packages are dual-licensed — the consumer chooses. Without a stated election the conservative interpretation applies, often the worst-for-you variant.
Policy Lives In A Wiki
Legal's view of acceptable licences lives in a confluence page that engineering hasn't read. The result is well-meaning ignorance until the diligence call.
Scan, Reconcile, Gate, And Archive.
SPDX-Aware Artefact Scanner
Reads the package archive itself — LICENSE, NOTICE, COPYING, in-source headers — and produces a canonical SPDX expression for every dependency, including dual-licence elections.
Policy-As-Code Gates
Allowed / restricted / blocked licence sets live in a Git-backed policy repo. CI gates evaluate the dependency graph against the active policy on every PR.
Auto-Generated Audit Packets
For each release, the platform emits a NOTICE roll-up, the SBOM with SPDX identifiers, the policy hash, and the gate decision log — signed and timestamped.
M&A Diligence Bundle
One-click export produces the diligence-grade evidence pack: per-product licence inventory, policy history, exception register, and counsel-readable summary.
From Commit To Counsel-Ready Packet.
SCA resolves the full transitive dependency graph per package manager (npm, pypi, maven, cargo, gem, go-mod).
The scanner pulls each package, reads LICENSE / NOTICE / in-source headers, and reconciles against package metadata.
Output normalised to SPDX 3.0 expressions; dual-licence elections recorded explicitly per project.
Versioned policy repo evaluates each licence against allow / warn / block sets; gate decision attached to the PR.
Successful build produces NOTICE roll-up, SPDX SBOM, policy hash, and signed decision log; archived per release.
One-click export aggregates the per-product evidence into a counsel-readable bundle — ready for any acquirer ask.
No More Diligence Surprises.
Copyleft Blocked Pre-Merge
Always-Current NOTICE
M&A Ready Any Day
Pair with SCA for the dependency graph, SBOM Studio for the artefact emit, and M&A diligence for the acquirer playbook.
Make Legal's Job Boring.
Connect one repo and we'll return a full SPDX inventory plus a copyleft heatmap within the hour.