License policies & attestation

Vulnerabilities aren’t the only supply-chain risk — the licenses your components carry have legal and compliance implications, and you need confidence that a component is genuinely what it claims to be. License policy and attestation cover both.

Licenses on every component

Each component records the license it’s distributed under, captured as a standard SPDX license identifier. With licenses recorded across the whole inventory, you get a license breakdown — a clear picture of what your software is governed by, from permissive licenses to copyleft ones that carry obligations.

License policy

A license policy defines which licenses are acceptable for your product and which aren’t. Against that policy, the platform highlights components whose licenses fall outside what you allow — so a license that would create an obligation or conflict you can’t accept is surfaced as an issue rather than discovered late. License compliance can then be reported alongside the rest of your evidence.

Attestation and integrity

Knowing what a component is requires confidence it hasn’t been tampered with or substituted. Attestation uses the integrity information in the SBOM — such as component hashes — to verify that the component in your build matches the one declared. This is the difference between an inventory you hope is accurate and one you can stand behind: integrity is checked, not assumed.

Part of your compliance posture

License compliance and component integrity feed the same evidence story as everything else. They roll up into the SBOM views and into the reports that compile supply-chain compliance for a submission, so governing your supply chain is part of the connected record rather than a separate spreadsheet.