SBOM & License Compliance
From dependency graph to NOTICE file — supply-chain transparency your auditors can use.
What this replaces
Customers and regulators now ask for SBOMs; legal asks which copyleft licenses shipped; engineering has neither in one place — and license risk surfaces during due diligence, at the worst possible time.
What Offload does
SBOM generation and ingestion in the standard formats, six-family license classification with a policy engine, generated attribution files, and license violations minted directly into the enterprise risk register.
What you get
- SBOM generation via Syft: CycloneDX JSON (repos), SPDX and syft-json (containers)
- SBOM upload & analysis: CycloneDX (JSON/XML) and SPDX with format auto-detection
- Six-family license classification — permissive through network-copyleft and commercial-restrictive
- Deny/warn/allow license policy engine with a deterministic, versioned release gate
- Generated NOTICE/attribution files — a legal-compliance deliverable, not just a report
- Per-package health, license, and CVE intelligence enrichment
- License violations minted into the enterprise risk register with ownership
How it works
Every repository or image scan can produce an SBOM; uploaded SBOMs from any tool are normalized into the same model. Components are classified against the license policy, unknown licenses are enriched (consent-gated), and the result is a pass/review/fail gate decision with the blocking rules recorded.
Attribution obligations are generated as NOTICE files directly from the dependency graph — the artifact legal actually needs at release time.
One platform, one risk view
SBOM findings join unified vulnerability management; license and supply-chain violations land in the risk register and compliance evidence — connected to the repositories and images they came from.