Choose an SPDX-capable tool for your ecosystem (e.g., syft with spdx output, spdx-tools, or a native language plugin)
Run the tool to produce an SPDX document in tag-value or JSON format
Ensure each package entry includes a PackageLicenseConcluded and PackageLicenseDeclared field using valid SPDX license identifiers
Verify DESCRIBES and CONTAINS relationship blocks link the top-level document to every included package
Validate the document with the SPDX online validator or spdx-tools validate command
Store the document with a consistent naming convention tied to the artifact version
Known gotchas
License expressions must use SPDX identifier strings exactly; free-text license names will fail validation and break downstream tooling
NOASSERTION and NONE are valid but semantically different values for license fields; using them interchangeably will mislead compliance reviewers
Relationship blocks can be silently dropped by some tools when packages have no detected dependencies; audit the relationship count against expected package count
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp