SPDX-aware scanning across every dependency in every repo. Policy-driven gates that block copyleft licences from closed-source products. Audit packets that legal can read without translation. M&A diligence ready on a day's notice.
An AGPL transitive dependency hides in the build for two years. Diligence counsel finds it the week before close. The deal price moves or the term sheet adds a remediation rider. The engineering team owns the consequences either way.
Lock-files lie by omission — they list the package but not its current licence. Transitive deps add licences the direct list never mentioned. Multi-licensed packages pick a variant per language ecosystem. The standard spreadsheet workflow collapses under any of these conditions.
Safeguard's scanner-suite reads the artefact, resolves the SPDX identifier from the package text (not just metadata), evaluates against a versioned policy repo, and produces an audit packet — every time the dependency graph changes.
package.json says MIT; the LICENSE file in the tarball says GPL-3.0-only. Metadata scanners stop at one; the artefact scanner reads both and reconciles.
Your direct list has 90 packages. The transitive closure has 4,200. A single AGPL hop inside a 7-deep transitive chain ships unnoticed until diligence.
Many packages are dual-licensed — the consumer chooses. Without a stated election the conservative interpretation applies, often the worst-for-you variant.
Legal's view of acceptable licences lives in a confluence page that engineering hasn't read. The result is well-meaning ignorance until the diligence call.
Reads the package archive itself — LICENSE, NOTICE, COPYING, in-source headers — and produces a canonical SPDX expression for every dependency, including dual-licence elections.
Allowed / restricted / blocked licence sets live in a Git-backed policy repo. CI gates evaluate the dependency graph against the active policy on every PR.
For each release, the platform emits a NOTICE roll-up, the SBOM with SPDX identifiers, the policy hash, and the gate decision log — signed and timestamped.
One-click export produces the diligence-grade evidence pack: per-product licence inventory, policy history, exception register, and counsel-readable summary.
SCA resolves the full transitive dependency graph per package manager (npm, pypi, maven, cargo, gem, go-mod).
The scanner pulls each package, reads LICENSE / NOTICE / in-source headers, and reconciles against package metadata.
Output normalised to SPDX 3.0 expressions; dual-licence elections recorded explicitly per project.
Versioned policy repo evaluates each licence against allow / warn / block sets; gate decision attached to the PR.
Successful build produces NOTICE roll-up, SPDX SBOM, policy hash, and signed decision log; archived per release.
One-click export aggregates the per-product evidence into a counsel-readable bundle — ready for any acquirer ask.
Pair with SCA for the dependency graph, SBOM Studio for the artefact emit, and M&A diligence for the acquirer playbook.
Connect one repo and we'll return a full SPDX inventory plus a copyleft heatmap within the hour.