Platform / SBOM & License Compliance

SBOM & License Compliance

From dependency graph to NOTICE file — supply-chain transparency your auditors can use.

The problem

What this replaces

Customers and regulators now ask for SBOMs; legal asks which copyleft licenses shipped; engineering has neither in one place — and license risk surfaces during due diligence, at the worst possible time.

The solution

What Offload does

SBOM generation and ingestion in the standard formats, six-family license classification with a policy engine, generated attribution files, and license violations minted directly into the enterprise risk register.

Capabilities

What you get

  • SBOM generation via Syft: CycloneDX JSON (repos), SPDX and syft-json (containers)
  • SBOM upload & analysis: CycloneDX (JSON/XML) and SPDX with format auto-detection
  • Six-family license classification — permissive through network-copyleft and commercial-restrictive
  • Deny/warn/allow license policy engine with a deterministic, versioned release gate
  • Generated NOTICE/attribution files — a legal-compliance deliverable, not just a report
  • Per-package health, license, and CVE intelligence enrichment
  • License violations minted into the enterprise risk register with ownership
Under the hood

How it works

Every repository or image scan can produce an SBOM; uploaded SBOMs from any tool are normalized into the same model. Components are classified against the license policy, unknown licenses are enriched (consent-gated), and the result is a pass/review/fail gate decision with the blocking rules recorded.

Attribution obligations are generated as NOTICE files directly from the dependency graph — the artifact legal actually needs at release time.

One platform, one risk view

SBOM findings join unified vulnerability management; license and supply-chain violations land in the risk register and compliance evidence — connected to the repositories and images they came from.

See SBOM & License Compliance on your own data.