Generate an SBOM for your project that includes SPDX license expression fields for all components
Define a license policy that lists allowed, restricted, and forbidden license identifiers for your organization and use case
Run a license compliance tool (e.g., ORT, licensee, or a custom Rego policy) that evaluates each component's license against the policy
Flag any component with a forbidden or unknown license and block the build or generate a violation report
For restricted licenses, require a manual exception approval before allowing the dependency
Review and update the license policy at least annually as license categories or organizational requirements change
Known gotchas
SPDX license expressions can be compound (e.g., Apache-2.0 OR MIT); policy tools must evaluate the full expression rather than treating it as a single token
Many packages declare licenses in multiple places (package manifest, SPDX field, license file) and they may disagree; the SBOM-recorded value may not reflect the authoritative license if the SBOM generator made a poor inference
Copyleft obligations for libraries differ depending on how the library is linked (static vs dynamic) and the intended distribution model; automated tools cannot determine link type and may produce incorrect compliance signals
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp