The SPDX group encourages the development of tools that meet the spec and help users and producers of SPDX documents.

Some of these are developed under the auspices of the workgroup, but we encourage others in the the community as well as commercial vendors.

The SPDX group does not endorse (or, at this time, have a certification program for specification compliance) but to encourage the use and product of tooling, we list all the tools here that we are aware of that claim to meet the SPDX spec.

If you have a tool that should be listed, please contact the SPDX Business Team.

For instructions on using the SPDX Workgroup tools below, please read the SPDX Tools Documentation (downloadable from the attachements below).

Commercially Available Tools

Protecode is an innovative provider of software compliance and vulnerability management systems, and an active member of the Linux Foundation’s Software Package Data Exchange (SPDX) group..
The Source Auditor Scanning Tool scans source code for open source code snippet matches, license matches, and copyright text matches.
A free service that generates an SPDX file from your uploaded software package.
A comprehensive, automated approach to open source governance and compliance, helping organizations maximize the benefits of open source.

Community-Maintained Tools

TripleCheck Reporter

Straight-forward free tool to create SPDX reports right from your desktop.


The Yocto+SPDX project is built to integrated SPDX generation into the Yocto build process.


The FOSSology+SPDX project is built using the FOSSology project. The goals are integrating the FOSSology output with the SPDX standard. Existing modules include creating an SPDX file in TAG format, licenses/copyrights information in NOTICE format. The project and was created and is hosted at the University of Nebraska at Omaha. FOSSology+SPDX is licensed under Apache License 2.0 (Apache-2.0).

SPDX Workgroup Tools


OSIT allows developers to scan, self-verify their source code and report during development.


AIRS helps supply chain partners share data regarding identification of open source components in software packages.

Consolidated SPDX Tools and Library

SPDX workgroup tools to support SPDX 2.0 (consolidates all tool functionality into a single download).